Windows 11 And Server 2025 Will Start Caching Plaintext Credentials By Enabling WDigest Authentication

Cybersecurity threats are rapidly evolving; even advanced operating systems like Windows 11 and Windows Server 2025 can have vulnerabilities due to legacy configurations.

Horizon Secure highlighted a concerning feature: WDigest authentication, which can be enabled to cache plaintext passwords in memory, potentially exposing users to credential theft.

Disabled by default since Windows 10 version 1703, WDigest was designed to store hashed credentials for compatibility with older applications.

However, a simple registry modification can reactivate it, allowing Windows to retain unencrypted passwords during logon sessions.

The registry key in question HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigestUseLogonCredential set to 1 takes effect immediately upon the next user logon, without requiring a system reboot.

This means sensitive credentials linger in process memory, ripe for extraction by malware or attackers with local access.

Attackers covet plaintext credentials because they bypass the need for cracking hashes, enabling quicker lateral movement across networks.

Tools like Mimikatz have long exploited WDigest for this purpose, and despite Microsoft’s hardening efforts, such as protecting the Local Security Authority Subsystem Service (LSASS) process in Windows 11, vulnerabilities persist.

LSASS safeguards prevent easy dumping of credentials, but re-enabling WDigest undermines these protections by storing passwords openly.

Many organizations overlook this risk, especially those running Windows 11 Pro editions. Advanced features like Credential Guard, which virtualizes LSASS for isolation, are exclusive to Enterprise and Education versions.

Without it, Pro users remain vulnerable if legacy apps demand WDigest compatibility, a common scenario in mixed environments.

Mitigations

Fortunately, free built-in tools can counter this threat. The Protected Users group in Active Directory blocks WDigest caching and other weak authentication methods for high-privilege accounts.

Yet, adoption remains low; security audits often reveal privileged users outside this group, leaving doors ajar.

Experts urge immediate checks: Scan for the WDigest registry key and audit group memberships. For broader defense, enable multi-factor authentication and monitor for anomalous memory access.

While Microsoft continues to phase out legacy auth, user vigilance is key to avoiding plaintext pitfalls. As cyber threats target Windows ecosystems, this reminder underscores that security defaults are strong, but misconfigurations can unravel them swiftly.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.