How To Secure Windows 10 By Disabling Its Password Recovery Questions

Password-recovery questions have been a part of Windows 10 for more than a year now, but you’ll never know they exist if you sign into your operating system using a Microsoft account. Use a local account when you’re first installing Windows, however, and you’ll be prompted to create three security questions that you can use to reset your password and log into your account—should you ever forget your credentials.

Sounds convenient, right? Unfortunately, security questions aren’t very great for account security, as we’ve previously covered.

It’s not that a hacker is likely to guess the name of your high school, or your dog’s middle name. Since there’s no way to turn off these questions by default, all it takes is one successful break-in for an attacker to create a new security question on your behalf — and a permanent backdoor to your system.

This is exactly the scenario a group of security researchers described in a recent presentation at the Black Hat Europe Security Conference, as Ars Technica writes:

“The problem, the researchers said, is that the password reset questions are too easy to set and too hard to monitor in networks made up of hundreds or thousands of computers. A single person with administrator credentials can remotely turn them on or change them on any Windows 10 machine and there’s no simple way for the changes to be monitored or changed.

As a result, malicious users — say a rogue employee or a hacker who briefly gains unauthorised administrative control — can use the security questions as a backdoor that will secretly allow them to regain control should they ever lose it.” 

Thankfully, said researchers (Magal Baz and Tom Sela, from Illusive Networks), came up with a quick PowerShell script you can use to permanently disable Windows’ built-in Q&A. Simply download the .ps1 file from here, pull up Powershell within your Windows 10 operating system, navigate to the folder that contains the .ps1 file, and enter the following to disable the recovery questions:

Update-AllUsersQA

Using that command will pop up an error message when you try to select the “Reset password” option at the Windows 10 login screen.

If you still want to have some kind of recovery option, but you want to conceal the fact that the feature works, try this instead (replacing “SecretAnswer” with a recovery answer you know you’ll remember):

Update-AllUsersQA -answer SecretAnswer

You’ll see a little warning that “This feature is disabled” when you go to recover your password, but you can safely ignore it. So secret; so safe.