Blog Post

Written by: Stephen Nelson

Introduction

As we spend more and more time on the internet, we are constantly creating new accounts and logging into different websites and services. With so many passwords to remember, it’s not surprising that many of us fall into the habit of reusing the same passwords repeatedly.

However, did you know that if you store your passwords in certain places on your computer they can be easily accessed by attackers? One of these places is the LSA secrets of the registry settings.

What are LSA Secrets?

Now, you might be wondering what exactly the LSA secrets are and why they are considered “secret.” LSA stands for Local Security Authority, and it is a component of the Windows operating system that handles security-related tasks. The LSA secrets are a set of encrypted keys that are stored in the registry, which is essentially a database that holds important settings for your computer.

So, what does this have to do with your passwords? Well, some programs and services store their login credentials in cleartext format within the LSA secrets, which means anyone with administrative access to your computer can retrieve them without any security controls in place.

Security Risk of LSA Secrets

The information stored in these secrets can be decrypted using the registry key HKEY_LOCAL_MACHINE\SECURITY\Policy\PolSecretEncryptionKey and the host’s specific boot key used in SysKey, which poses a serious security risk. If an attacker gains access to your LSA secrets, they can use your login credentials to access your accounts and steal your personal information. This is particularly dangerous if you use the same password for multiple accounts since the attacker could potentially gain access to all of them.

How to Secure LSA Secrets

There are various steps you can take to protect yourself from this type of attack. The first step is to avoid reusing passwords since this makes it easier for attackers to access multiple accounts. Additionally, you should make sure that you do not store your login credentials in the LSA secrets for any programs or services you use.

If you’re not sure whether your passwords are stored in the LSA secrets, you can check by opening the Registry Editor on your computer and navigating to the HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets key. However, if you’re not comfortable with modifying your computer’s registry, it’s best to seek the help of a professional.

Conclusion

While it may be convenient to store your passwords in the LSA secrets of the registry settings, it can also be extremely dangerous. By taking the steps to protect your passwords and ensure that they are not stored in vulnerable locations, you can greatly reduce your risk of falling victim to a cyberattack.

DenSecure can help protect your security environment. Contact us about our services, including advanced security assessments, penetration testing, social engineering, and more.

References

Protections

• Configure RunAsPPL (Protective Process Light)

• Configure Credential Guard

• Configure ASR (Attack Surface Reduction) Rules

• Remove all keys from the Registry settings above

• Work with vendors to ensure that accounts within LSA are not storing plaintext credentials