Caution: Exposed Wi Fi password in Windows

Windows[German]Maybe it is common knowledge – I was not aware of it: Locally logged in users can retrieve the password of a Wi Fi (WLAN) under Windows if it was entered under the same user account. This does not require administrator privileges if done correctly. After a reader pointed this out to me, I was able to reproduce this myself on a Windows 10 22H2 system. Here's a brief overview of why it works.


Advertising

The WLAN password is protected

The Wi Fi password (for WLAN access) set up on a device is normally not shown to a user for security reasons. However, administrators in Windows have the option of displaying the password for wireless access via the WLAN status.

WLAN properties in Windows

On the Windows GUI it's possible, to view this password – but only with administrator rights (see this Microsoft support article). The dialog above from my German Windows 10 22H2 shows the property tab in question, with the option Zeichen anzeigen (show characters in clear text), that has been secured by the User Account Control icon. That is, without entering the administrator password in User Account Control, this WLAN password (security key) will not be displayed in plain text.

A Reader's note on WLAN password query

Swiss blog reader Cornelia H. contacted me the other day (thanks for the hint) because she had been confronted by users with the question why the WLAN password can be read out so easily in plain text by normal users. Cornelia wrote to me.

Dear Mr. Born

As a regular reader of your blog, I have a note today about Windows 10 and Windows 11 that might interest you.

A customer of ours had asked why a WLAN password could be found out with an (impersonal) user account without admin rights.

When asked, it turned out that this was possible with the command 'netsh wlan show profile <ssid> key=clear'.

Our subsequent tests were initially unsuccessful, so we suspected that the user on the computer had been added to the administrator group and not removed again. However, this could be ruled out.

I tested it myself under Windows 10 22H2 on a standard user account. If I call the command prompt with standard user rights, I can really query the WLAN password with the above netsh command. It is not possible to enter an administrator password.


Advertising

Get Wi-Fi password in clear text

Cornelia also investigated the matter more closely and wrote to me about it, saying that a closer examination of the computer now revealed the following:

The user who is currently logged in when someone enters the password for a WLAN network can subsequently read it out via the command prompt, even if he does not have admin rights.

Changing the WLAN password later does nothing, the user can read out the new password as well.

Only other users without admin rights cannot read out the set password.

Cornelia classifies this as a security vulnerability and points out that the graphical interface in Windows (see notes above) displays the prompt asking for the administrator password as soon as someone wants to display the WLAN password in plain text.

Solving that security issue

Cornelia then tried something else and found a solution for this problem. Standard users can't read the WLAN password if it was entered under a different user account. She writes about this:

A simple solution is to log on to the computer as administrator and remove the known WLAN network via the system settings – with "do not save".

Then enter the password again. Since it is consequently registered with a new ID, the user [with standard rights] can no longer read the associated password as before.

I have not checked this point separately now.

Caution with guest accounts

In a follow-up email, Cornelia sent me some additional information about guest accounts. For this she wrote:

Good day Mr. Born ,

I have one more addition after doing some more tests.

Unlike a standard user, a member of the Guests group cannot remove a known WLAN because all Modern GUI settings are blocked. (Via registry and/or powershell I have not verified this).

However, reading the password via cmd command – if it was entered under the logged-in guest – is just as possible as for a standard user.

This behavior is valid for Windows 10 as well as for Windows 11. Cornelia wrote: This confirms what has been known for years: A guest account is hardly more restricted than a user account without additional, comprehensive configuration/intervention. At this point my thanks to Cornelia for this hint.


Advertising

This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

One Response to Caution: Exposed Wi Fi password in Windows

  1. Damiel says:

    This behaviour is not surprising. It just means, an unpriviledged user can view his/her own keys and admin users can view the all keys.

    However, I noticed at a non-admin user may also view Wifi keys that were entered on the lock screen or stored by provisioning packages during OOBE.

    That's not OK for me, so I wrote a PowerShell script to change the owner of these WLAN profiles:

    https://medium.com/@damiel_gc/dont-leak-my-wifi-key-305671b51c5c

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).