

Windows stores password hints without encryption - kyberias
http://blog.spiderlabs.com/2012/08/all-your-password-hints-are-belong-to-us.html

======
kyberias
I've posted this to discuss whether there is a need for some kind of
encryption for password hints. What do you think?

~~~
shanelja
I don't think we need encrypted passwords hints, perhaps obfuscation would be
a better method, my computer password hint is "$1 -> thy 448o2" which seems to
be vague enough for only me to be able to reasonably understand it.

The problem with this is that once we start encrypting password hints, we will
need hints for our password hints for when the key is forgotten.

~~~
kyberias
I know. It's just that there are certain "security professionals" who portray
this as something very very sinister without actually explaining what are the
vulnerabilities.

