Windows 8 is the first operating system from Microsoft to support alternative non-biometric authentication mechanisms such as Picture Password and PIN. A vulnerability discovered by a password security vendor - "Passcape" in Microsoft’s Windows 8 operating system that it saves a log on password in plain text and allows any user with admin rights to see the password details.
In September, though, some drawbacks of the new authentication method were reported by Passcape Software. The picture password had seemed invulnerable, because whoever tries to guess it must know how and what parts of the image to choose, and in addition, the gesture sequence. However, security experts from Passcape discovered that such a unique password is based on a regular account.
A user should first create a regular password-based account and then optionally switch to the picture password or PIN authentication. Notably, the original plain-text password to the account is still stored in the system encrypted with the AES algorithm, in a Vault storage at %SYSTEM_DIR%/config/systemprofile/AppData/Local/Microsoft/Vault/4BF4C442-9B8A-41A0-B380-DD4A704DDB28.
"Briefly, Vault can be described as a protected storage for user's private data. Windows Vault emerged with the release of Windows 7 and could store various network passwords. In Windows 8, Vault has extended its functionality; it has become a more universal storage but at the same time lost its compatibility with the previous versions. Thus, the 'old' Vault implements a custom password protection. While in Windows 8, it seems, this feature is frozen and it uses DPAPI-based protection only. Windows Vault is used by other applications as well. For example, Internet Explorer 10 uses it to store passwords to websites." described by researchers.
Any local user with Admin privileges can decrypt the text passwords of all users whose accounts were set to a PIN or picture password. In this regard, the picture/PIN login cannot be considered the sole reliable means of ensuring data security against cracking.
Experts warned that users should not only rely on the security of the picture password. It is difficult to break, they agreed, but it is necessary to take additional measures to protect the original text password.