After analyzing a number of laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite, we found that your Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted. Having physical access to a laptop running UPEK Protector Suite, we could extract passwords to all user accounts with fingerprint-enabled logon. Putting things into perspective: Windows itself never stores account passwords unless you enable “automatic login”, which is discouraged by Microsoft.
However UPEK's maker disputes these allegations:
Authentec, which makes the widely used UPEK fingerprint scanner, said on Wednesday that it couldn't find any evidence to support the allegation that its software stores Windows passwords insecurely, exposing customers to potential hacking.
An attacker who is able to recover a Windows account password can access anything the user is able to, including files encrypted with Windows' built-in EFS file encryption, and other credentials protected by the user's password.
Edited by Andrew, 06 September 2012 - 06:04 PM.