I have been thinking about blogging about this cool little tool for a long time now
- the Lync Client Password Recovery Tool.
This is simply a tool that dumps out Lync passwords (which also are the user’s domain password) from the local credential manager store found in the Control Panel / User Accounts / Manage your credentials. Now the reason why I have not made a post about this before was because I expected this issue (security hole) to go away in Lync 2013, but today I had a chance to try it with the Lync 2013 Preview client (but still connected to a Lync 2010 Server.)
And to my surprise - the tool still works even with the Lync 2013 Preview client!?
The issue is of course the widely used and very convenient "Save Password" check box found when logging in to Lync.
Checking the "Save password" box in Lync 2013 Preview will however bring up one additional warning compared to Lync 2010.
0 = "Users do not have the option to save password", that have the following explanation.
"Allows Microsoft Lync to store user passwords. If you enable this policy setting, Microsoft Lync can store a password on request from the user. If you disable this policy setting, Microsoft Lync cannot store a password.
Note: You can configure this policy setting under both Computer Configuration and User Configuration, but the policy setting under Computer Configuration takes precedence."
Microsoft Lync 2010 Client Group Policy Documentation
And this could also be quick-fixed with a registry key hack.
reg add HKCU\Software\Microsoft\Communicator /v SavePassword /d 0 /f
I also believe that the Registrar settings found in the Lync control panel / Security / Registrar / Global will have some effects on this.
But seriously - I really hope something more is done about this in Lync 2013 - or?
Please comment so that I can update this post soon!
Thanks and greetings to Mr. Remko Weijnen!