Does Windows have a very weak password lurking in its crypto libraries?
Don't panic – it's just for testing
Microsoft's Raymond Chen took to his "Old New Thing" blog this week to explain why Windows has a hash of a weak password in its cryptographic libraries.
The sequence in question was spotted by a customer, who reported they'd found the SHA256 hash of "abc" in the Windows cryptographic libraries.
Dodgy passwords are the bane of many an administrator, and plenty of organizations are keen to tell you how best to manage the things. Change them frequently. Don't change them frequently. Use random gibberish. Don't use random gibberish. And so it goes on.
Irrespective of this, there is no doubt that "abc" is not a great choice for a password, however, Chen has an explanation for its presence. It is part of the library's self-test to ensure nothing is amiss with the modules. It isn't actually being used as a password per se.
We can imagine the alerts raised by various source control tools at the sight of a hard-coded password lurking in the code. After all, no engineer would have dropped such a thing into their carefully crafted source, right?
Chen said: "You can find this hard-coded 'well-known SHA256' in the sha256.c module, with the 'plaintext' in selftest.c. The values are used by the function SymCryptSha256SelfTest to verify that the algorithm produces the expected answer."
Windows is hardly the only codebase to include such things. One user commented: "It's not just a particular artefact of the Windows cryptographic library, 'abc' is a standard test string used for hash functions going back to at least MD5 in 1991."
- ROBOT crypto attack on RSA is back as Marvin arrives
- Apple squashes security bugs after iPhone flaws exploited by Predator spyware
- Signal adopts new alphabet jumble to protect chats from quantum computers
- Microsoft: China stole secret key that unlocked US govt email from crash debug dump
A swift hunt around other libraries showed several other test strings that would be less than ideal as passwords but help validate that functions are working correctly.
Chen said: "The fact that an insecure password appears in the cryptography libraries doesn't mean that the library is using them as passwords. In this case, they are just test data."
He concluded: "I bet you can find insecure passwords in a lot of binaries if you set your mind to it. Just scan for the bytes 61 62 63 in any binary, and if you find it, you can get all excited: 'Hey, your binary contains the insecure password abc!'" ®