none
Windows 7 Wireless Network Security Key easily shown with a click of the mouse

    Question

  • Dear All,

    Our company is now thinking of implementing Windows 7, however I encounter a BIG security issue with this O/S.  ( I thought Win7 suppose to be tight in Security)

    Wireless Network Security Key Flaw

    When the Wireless Lan Network Keys have already been entered into the system.  A normal user with administrative rights (to the local machine) can in fact goes into the Wireless network properties and view the entered Network Security Key.  (See Picture 1 and 2)

    This is due to a checkbox located conveniently below the Network Security Key, named Show Characters.  By clicking on this checkbox, the user actually can have the network security key displayed in clear text!

    Now, isn't that convenient?

    Links to pictures as below: (pics slightly small)

    http://i68.servimg.com/u/f68/13/98/44/65/networ14.jpg

    http://i68.servimg.com/u/f68/13/98/44/65/networ15.jpg

    anyone got advise on how to remove the checkbox?

     

    Thank you in advance.

    Adam

    Saturday, March 20, 2010 10:57 AM

Answers

  •  

    Hi,

     

    Janata is corret. The feature is by design and the "Show Characters" box cannot be disabled. Please understand that the feature is designed for some user who may forget the password and it can easy to recover. However, it can only be configured by administrator. The Standard user does not have privilege to access it.

     

    By the way, for product design questions, you can share your opinions in Microsoft Feedback & Idea Center.

     

    Thanks,

    Novak

    • Marked as answer by Novak Wu Friday, March 26, 2010 6:31 AM
    Tuesday, March 23, 2010 2:35 AM

All replies

  •  

    Hi,

     

    Janata is corret. The feature is by design and the "Show Characters" box cannot be disabled. Please understand that the feature is designed for some user who may forget the password and it can easy to recover. However, it can only be configured by administrator. The Standard user does not have privilege to access it.

     

    By the way, for product design questions, you can share your opinions in Microsoft Feedback & Idea Center.

     

    Thanks,

    Novak

    Tuesday, March 23, 2010 2:34 AM
  •  

    Hi,

     

    Janata is corret. The feature is by design and the "Show Characters" box cannot be disabled. Please understand that the feature is designed for some user who may forget the password and it can easy to recover. However, it can only be configured by administrator. The Standard user does not have privilege to access it.

     

    By the way, for product design questions, you can share your opinions in Microsoft Feedback & Idea Center.

     

    Thanks,

    Novak

    • Marked as answer by Novak Wu Friday, March 26, 2010 6:31 AM
    Tuesday, March 23, 2010 2:35 AM
  • Dear Novak,

    I do understand that this is by "Design".

    However, as IT Administrator of the company's notebooks, I do not require this feature as I do not think that I'd ever forget the WPA key.

    And yet, our users require administrator rights because we are a solution provider company, and our users tends to travel so often that they will require the rights to their local administrator for software installation, and such.

    If the MS Feedback & Idea Center is the only option, then I'd proceed that way..

     

    Thank you.

     

     

    Wednesday, March 24, 2010 9:33 AM
  • Hi Adamis,

     

    I fully understand the inconvenience this issue has caused. If there is any feedback or suggestion, please feel free to share the opinions in Microsoft Feedback and I'm sure that your concerns will be addressed.

     

    Regards,

    Novak

     

    Friday, March 26, 2010 6:31 AM
  •  

    Hi,

     

    Janata is corret. The feature is by design and the "Show Characters" box cannot be disabled. Please understand that the feature is designed for some user who may forget the password and it can easy to recover. However, it can only be configured by administrator. The Standard user does not have privilege to access it.

     

    By the way, for product design questions, you can share your opinions in Microsoft Feedback & Idea Center.

     

    Thanks,

    Novak


    Dear Novak,

    The links in the MS Feedback & Idea Center is invalid.

    Any other links?

     

    Wednesday, April 07, 2010 8:31 AM
  • Hello there!

    I have the same problem here.  I am the network admin here in our university. as part of our security, we require our students to register their device. we are the ones who types the passkey so that no unregistered device can access our wifi. Ever since the windows 7 came out, we noticed that there are a lot of unregistered devices in our network already. We found out about this issue recently.  Now, we are no longer accepting pc with windows 7 OS. Some of the students went back to vista and xp just to be able to access the school resources.

     

    I do hope that you would try to fix this issue. and if you say that "the feature is by design", well, you better redesign this feature.

     

    Please let me know if there is a service pack for this. Email me please! (richter.robin.vecina@hotmail.com)

     

    By the way, a security flaw can't be fix through additional security in the network! And Adamis is right! The links in the MS Feedback & Idea Center is invalid.

     

     

     

     

    Friday, June 25, 2010 4:08 AM
  • In general, pre-shared keys are not very secure. Microsoft is sending you the message.

    WEP and WPA are very suspectible to attack. WPA uses SSID as salt, but that means you can easily create rainbow tables for a given SSID. They are also vulnerable to dictionary attacks / weak passphrases. If you can capture an authentication session, you can crack the network.

    There are code out there to brute-force WPA2-PSK, also code for NVIDIA graphics cards, so 100 times faster than current Intel CPU's.

    Switch to something secure. WPA2 enterprise mode is way better.

    Thursday, July 01, 2010 8:42 AM
  • This is just a cop-out.

    I have users with their own PCs on our wireless network - they can access the Administrator account (as it is their own PC...) and therefore the Wireless Network Key - in Windows 7 - which was never available to them before in previous operating system versions.

    We, as network administrators must be given a way of turning this "feature" off.

    Excuses as to why WPA keys are vulnerable anyway just does not cut it.

    Wednesday, December 22, 2010 12:08 AM
  • Same issue/problem here and I can't agree with you more that is a cop-out.

    Why don't we have a checkbox or method that allows a user to see their local or domain password?  or even other users' passwords (if you are Admin) just in case they forget them?

    We use WPA2 PSK with a complex 31 character passkey.  Creating rainbow tables or brute forcing a pass phrase like that is not possible at this time as far as we know.

    I think this is a very poor "design decision" in the first place but it is even worse that there is no way, even with a GPO, to disable it.  Yes it could be disabled if we do not make our users local Admins but I don't have a year to figure out how to make the multitude of applications that we run at our organization with user privileges.

    This issue is so critical to us that it has totally halted our Windows 7 deployment.

    I found this link for Windows7 feedback http://mymfe.microsoft.com/Windows%207/Feedback.aspx?formID=195   and posted my concerns there.

    I also sent an email to secure@microsoft.com

    If there is a better way to let MS know about this egregious security breach please post.

    TekMason

    Tuesday, January 25, 2011 2:55 AM
  • I got a reply in response to my email to secure@microsoft.com this morning.  They are hiding behind the "design feature" argument as well.

    Thank you for your message.  This is a by design feature of the Windows 7 operating system and is not something we consider to be a vulnerability.  If this is a significant issue my best recommendation is to upgrade to an enterprise level wireless solution.

    I responded back with:

    Because of the Windows7 "design feature" our passkey has been revealed and we have all kinds of rogue devices connecting to our wireless network.

    I've heard that "by design" argument before.  Surely this would be a very easy issue for Microsoft to address.  Please the link that I sent you which explains in more detail as to why this is a very bad/insecure "design feature".

    If it is acceptable "by design" to reveal passwords then...Why do we not have that ability to show a user's domain or local machine password?


    We have an Enterprise class Wireless network with about 50 lightweight, centrally managed APs accross 12 sites.  It was perfectly secure prior to connecting Windows7 PCs up to it.  From a financial and manageability perspective it is not feasible to setup servers at each site that will provide 802.11x authentication for WPA2-Ent.

    This issue has halted our deployment of Windows7 as it has with other organizations.  I hope I can get some attention to this issue from Microsoft before it gets the attention of the security community.


    I have filed a vulnerability report to Secunia and asked them what their opinion is on this issue.  I'll continue to communicate with other security organizations if we don't get an acceptable solution.  I would urge others to do the same.

    TekMason
    Network and Security Architect

    Tuesday, January 25, 2011 4:13 PM
  • Still quiet?
    "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis
    Saturday, July 02, 2011 3:41 PM
  • Has any resolution been developed to eliminate this problem? I have been searching the internet and have been unable to find a solution.

    Thanks

    Thursday, July 07, 2011 7:56 PM
  • Sorry about the Above post I hit the wrong Key while moving the keyboards.

    I believe I have come across a register change that solves this issue .

    Quoted from Bernard :

    "I have found a solution, which is not very elegant but it works.

    The way is to find the key in the registry where you can unlock the viewing of the WIFI Key.


    For that, you have to find a Key where the value is "CElevateWlanUi"

    In my case, it was in HKEY_CLASSES_ROOT\Appid\{86F80216-5DD6-4F43-953B-35EF40A35AEE}.
    Under this key you have 3 values :

    • The first one (default) with the value "CElevateWlanUi"
    • The second one AccessPermission of type Reg_Binary with a binary value (does'nt matter to understand what it means)
    • The third one is called DllSurrogate with a null value.


    The way I solved the problem is to setup the authorizations of the main Key {86F80216-5DD6-4F43-953B-35EF40A35AEE} by a right-click, then "autorizations".
    After you have to take possession of this key.
    I setup the owner as our domain administrator.
    For that click on the the button "Advanced" then on the tab "owner" and replace TrustedInstaller by the administrator of my domain.
    Then, I came back to the main panel of authorizations of the main key.
    I deleted the entry LAP505\administrators and the entry LAP505\domain users, and added the entry for my domain administrator with all rights. (LAP505 is the computer name)
    I applied all the modifications.
    I repeated the operation for the second occurence of the key :
    HKEY_LOCAL_MACHINE\Software\classid\Appid\{86F80216-5DD6-4F43-953B-35EF40A35AEE}

    And when I logged on with a user with local admin privileges, I could connect to WIFI network, I could access to the network center but I could'nt unmark the "Hide caracters". It works!

    Second point : As my users want also to connect their laptop at home on their box, I checked the possibility to add a WIFI connection and it worked also! The only restriction is that they can't see the key once it is entered (for modification, they have to delete the connection a re-create it.
    I hope it will help you!"

    Friday, July 08, 2011 9:45 PM
  • An easier solution is to use Group Policy to disable looking at the connection of a LAN Connection.  If they cannot get to the page, they cannot see the password or the checkmark.  You can also disable the network and sharing center in the control panel.  Users can still add wireless networks, but they cannot go back and upadate a network key if it changes for some reason. 

    Still though, this isn't a solution for universities where students are admins and can undo any security settings that you set on their machines. Even the above solution can be undone if you have ambitious student and it only takes 1.


    Monday, July 11, 2011 7:22 PM
  • True , but one the Changes are done we will use Deepfreeze to maintain the settings and registries.

    It is a temp solutions at the moment for this deployment .

     

     

    Monday, July 18, 2011 3:42 PM
  • Has MS come any closer to fixing this? Will they even admit it is a security risk?
    Thursday, December 08, 2011 5:19 PM
  • I understand your company needs and security if you are concerned then we have a solution when I got wireless at my property then I also felt the requirement to hide the wireless key and eventually I spent some time and found the solution I hope you are also going to take help from it and going to appreciate

    Hide wireless network key

     

    If you require some more security option then you can check these links also

    How can I secure my wireless network?


    • Edited by amar3383 Monday, December 19, 2011 5:15 PM
    Monday, December 19, 2011 5:14 PM
  • The ideal way to address this problem is to lock down the PC's i.e. remove admin privileges of your end users from their computers. This will prevent them from viewing the password and also prevent them from installing malware. Obviously this will prevent them from performing various privileged tasks that they genuinely need like installing and updating certain applications(example: adobe flash, itunes...), activeX controls, certain privileged commands.....etc. you can address this problem by deploying privilege elevation software that will granularly delegate admin privileges to end users for only those privilege activities that the admin approves(The admin creates and deploys elevation rules for the approved tasks). One such privilege elevation solution is Privilege Authority. http://www.scriptlogic.com/products/privilegeauthority/. It offers a free and a paid version. It also has a large community of users who create and publish elevation rules for reuse by other users. The community is www.privilegeauthority.com/. See the rules exchange within the community for the posted rules. They can be directly imported from within product console with a single click. 

    Hope this will help solve this problem.

    Avi

    • Proposed as answer by Avi_Ko Wednesday, December 28, 2011 4:23 PM
    Wednesday, December 28, 2011 4:22 PM
  • This just makes no sense to me what so ever. Instead of leaving like it was in previous versions they change it and then the fix is to create more management over head with group policies or third party software that could also add additional costs. I have been a MS guy forever but it's stuff like this that has me starting to look at other options for my client computers. MS REALLY dropped the ball here in my opinion. I just can't believe their "developers" thought this was a good idea.
    Wednesday, December 28, 2011 8:45 PM
  • I totally agree with the criticism. My home WIFI network used to be secure, and it was possible to grant my kids' visiting friends WiFi access without compromising access control to the network. Suggesting enterprise solutions is totally irrelevant in this context, and the current situation with Win7 WiFi setup is equivalent to posting the password on the bulletin board at the local mall. You'd think somebody with half a brain could figure out the downsides of the new solution prior to releasing it. A fix is overdue, and hiding behind "by design" and "use enterprise solutions" does definitely not cut it!
    Friday, January 06, 2012 3:19 PM
  • This is great, however... we tried it but then try this:

    Go and lower the UAC to the minimum

    restart

    and you are back to square one...

    any other suggestions anyone?

    Thursday, January 26, 2012 2:43 PM
  • There is NO solution whatsoever. We spent hours trying proposed solutions. The registry hack does not work either. Setting people to power users is not an option with our team as well.  The only viable option is to stick with XP, or buy an enterprise solution.

    Friday, February 24, 2012 9:28 PM
  • In my case, it was in HKEY_CLASSES_ROOT\Appid\{86F80216-5DD6-4F43-953B-35EF40A35AEE}.
    Under this key you have 3 values :
    • The first one (default) with the value "CElevateWlanUi"
    • The second one AccessPermission of type Reg_Binary with a binary value (does'nt matter to understand what it means)
    • The third one is called DllSurrogate with a null value.

    Hi All ,

    I have also been working on this and came up with this, first hide the wireless key , then browse to the third key above :-

    The third one is called DllSurrogate with a null value :- change the null value to 1 , and it seems to work (well in that it allows you to tick the box , but it becomes unticked again without showing password) let me know if its a full cure please as my next job is to copy this profile to the default one so that this remains constant over any new logins



    • Edited by ritchiebaby Wednesday, May 30, 2012 1:31 PM spelling
    Wednesday, May 30, 2012 1:30 PM
  • i have also same problem and i try to this reg editor idea but i am fail.  .........but after i think this wireless password can see all people because i am log on computer as administrator after i make one user account and always use  computer with this user login,if i am using this user account  then in network properties the wireless network password is not display really..... 

                 this is the simple idea to hide wireless network password in window 7,       thanks

    Sunday, June 10, 2012 12:54 PM
  • Even logged in as a Domain Admin, it says I don't have write access to the [DllSurrogate] REG entry.

    I need to perform this task via Batch command similar to the following.:

    START REGEDIT /S "\\192.168.6.20\NETLOGON\REGFILES\HIDEPASSWORD.REG"

    Monday, July 16, 2012 6:32 PM
  • i think adam is very much right. i have searched it out and unable to find the solution of this security flaw. it shuld be consulted with microsoft designers to have fix it.

    ahmad.nawaz

    • Proposed as answer by ahmad.nawaz Friday, September 21, 2012 4:04 PM
    Friday, September 21, 2012 4:04 PM
  • Wireless Network Security Key Windows 7

    I came across the same problem with Windows 7.  After having  searched the internet for a solution to this problem, I could not find any easy fix available.  I set about working on the problem and came up with the following:

    For this fix to work the router must allow leading spaces in the wireless key, not all router do.

    The router I did the work on was a Netgear Router DGN2200.  I believe I have come upon a secure fix to this issue. It involves no extra software or registry entries.  I found that using spaces in the key code before and after a six character code seems to do the job.   All it involves is setting up the router with the following type of wireless key:

    Example

    Security Option 

    WPA2-PSK(AES)

    Security Option

    Passphrase:          abP129                   

    Here I have  typed  ten spaces  plus a six character code followed by 20 spaces (The spaces before and after are part of the key)

    I then applied these changes.

    Log onto the Network using the above key (do not forget the spaces)

    Next open Netwok and Sharing Center, Wireless Network Connection, Wireless Properties, Security, Show characters. There should be no characters.

    Conclusion

    The spaces  and the 6 characters(max 7)  code do the trick. Given that the key can have up to 63 characters you can use up to 53 spaces aroud the code if one so wished and place the 6 characters anywhere with in them.  I have not yet done the math on this code.  But given that there is a six character arrangement embedded in the spaces, I believe it to be quite secure.

    Note

    This does not work with all all routers and access points eg it does not work with Netgear WNDAP350 as leading spaces are not allowed in the wireless key.

    Lá deas agaibh

    Mike Timmons











    • Edited by Mike Timmons Wednesday, December 12, 2012 7:24 PM
    Saturday, December 01, 2012 10:56 AM
  • Well thanks to this intentionally added security flaw my wireless network has now been compromised. We have always known that MS products were full of security holes but who would have thought they would add one on purpose. And please MS do not tell me that it has been fixed in windows 8, doubtful, because as of right now I have absolutely no plans to go that route because from what I am seeing/hearing windows 8 is no better than ME/VISTA. I mean really how hard can it be to put out a patch for this? I just can't believe that the "developers" actually thought this was a good idea and the only way to "fix" it is to add more management overhead to already stretched IT staff/departments or to spend money on third party apps from already VERY tight budgets. MS for once show a little integrity and admit that you got this VERY wrong and correct the issue. Contrary to what you believe you DO NOT ALWAYS KNOW BEST, especially in this case.

    I think as a community we should reach out to any and all TECH publications as this may be the only way to get this fixed.

    • Edited by sapper12 Wednesday, December 12, 2012 2:33 PM
    Wednesday, December 12, 2012 2:26 PM
  • ISSUE OUTSTANDS IN WINDOWS 8.  This just became an issue for my company when we got a new wireless network and tried to achieve new security standards.  Below is a link to a thread where user 'TechDoctor' provided a good GPO solution for me in my particular situation.  Read my reply(skrash3r) to see some of the limitations.  This wouldn't help home users at all. 

    http://social.technet.microsoft.com/Forums/en/itprovistanetworking/thread/5f8877a7-cc6d-4ffd-bda1-f3bcf07d1a88

    Tuesday, January 15, 2013 5:56 PM
  • George- I tried your suggestion and for some reason it isn't working, is there something I am missing?  I removed the administrator and trusted installer and just put the domain admin as the owner. I am working with Windows 7 64-bit.  I am trying to get this working on 1 laptop so I can implement this company wide using group policy. 

    I also tried:

    C:\Windows\System32\wlanui.dll and select the security level as Disallowed. wlanui.dll is the Wireless Lan User Interface GUI. <supplied by the TechDoctor>

    thank you,

    Monday, February 18, 2013 5:11 PM
  • Hi All

    Well I came to this thread for a for another reason but thought that I'd jump in and add to it.

    While reading this the first thing that came to mind was to turn on MAC filtering in your router, thus problem solved.  This has been a feature of routers for as long as I can remember.

    Also, but I'm not sure on this one, you can do MAC filtering on your server if I remember, but it's been a awhile since having to mess with a proper server.

    Mark...................


    • Edited by gitface Friday, June 21, 2013 11:48 AM typos
    Friday, June 21, 2013 11:48 AM
  • While Windows 7 did add a built-in method to view the key for a configured wireless network, it has always been possible in previous versions for an admin to retrieve the key from the registry or wherever it is stored.  I have previously done so on a Windows XP laptop to get the key for someone who couldn't find the paper where I had written it down for them when they wanted to configure another device for their network.  I don't know where it was stored, as I used a free tool downloaded online to retrieve it, but the point is that it has been easy to do so even before Windows 7.

    As stated before by others:  if you need to keep unauthorized devices off your network when users are allowed to be admins on their own devices, don't rely on pre-shared key mode.  OS on the device is irrelevant if the user has full control.

    • Proposed as answer by ShadyDreamer Monday, July 15, 2013 10:41 PM
    Monday, July 15, 2013 10:39 PM
  • Dear all,

    In the Windows Mobile Smartphones like Lumia of Nokia, the  "Show Characters" box is enabled only when the user is defining the hidden connection, once has been created, the  "Show Characters" box cannot be enabled, so, the password is not visible anymore. Even when you select edit the connection, you cannot modify the  "Show Characters" box. I think this is the way that must work on Laptops, Netbooks, Desktops, etc.  no matter if you are administrator or not of the user equipment. The network administrator must have the password, maybe he / she is not the same guy that manage the laptop, servers etc. like administrator. This password is a network resource, so, the administrator of laptops or mobile devices, can use the service as a user, but maybe he / she must not know the password, if so, they can share the password with everybody. So if this can be visible to the adminisrator that normally is the final user that user needs administrator privileges to install updates, and programs that normally needs and that normally administrator cannot install remotely because never has time or enough resources, what is the logical to have a box of hidden password in laptops that is visible?

    Wednesday, August 07, 2013 8:23 PM
  • Assuming  that all the wireless devices are the property of the company, that solution would work. For many of us that is not the case. For example, many of our employees & contractors need access to the internet on their own computers.  It was always possible for an employee or contractor to actually find out on their computer what the key is, (locks are for honest people) but it took time and  effort (all a lock does is keep an honest person honest) Window 7 just made it easy to be dishonest!   It wasn't until we started seeing "My I phone" & "My phone" that we realized we had a problem. 

    We have now implemented randomly scheduling of changing the keys and we are supplying supervisors with a flash drive with the configuration on it. Changing it every week or 2, or when there gets to be too many unauthorized devices seems to be keeping the problem in check

    It's not just a "Design Feature" It's a "BAD Design Feature"

    Microsoft has to come out with a fix for this.

    My thoughts would be make a patch for "Copy this network profile to a USB flash drive" so that when it adds the profile to the new computer it either turns of the 'view password' option or it scrambles what the viewer sees.  That way it could be an option for those who plan to forget their password; it would be just 1 click away.

    Saturday, November 16, 2013 4:45 AM
  • Hello All,

    I am a loyal Linux user with no desire to touch anything "Windows" with a 10 foot pole.

    BUT "they" are completely right and the users who complain about this are completely wrong!

    To that university that enters the "secret" key for students - have you ever encountered a student with a Mac? Mac lets users unhide the key too.

    To that guy who doesn't want house guests to have unauthorized access to his non-enterprise network - change the key to '1234' when you have house guests and then change it back to your "secret" after they're gone.

    To others who think this is a Windows 7+ only problem - there is this thing called Google. 15 Seconds of Googling will find you a quick and simple .exe that you can run on Windows XP if you have admin rights that will reveal the stored keys.

    It's just a fact of life people, if the machine "remembers" the key for you, anyone with admin rights can get it.

    Regards,
    asmoore82

    Friday, May 09, 2014 6:15 PM