This article applies to Windows 10 Anniversary Update (Version 1607). For previous versions of Windows, please see the earlier article.
What are cached credentials?
Windows 10 caches and stores usernames and passwords for Active Directory domains, other computers, apps like Outlook, websites, and FTP sites. This makes it easier to authenticate as you don’t have to type in the username and password every single time. But it does pose a risk of those credentials getting misused.
Where are Windows 10 credentials stored?
Active Directory credentials. Domain credentials (usernames and passwords are stored on the local computer’s registry as salted hashes. This is under HKEY_LOCAL_MACHINE\Security\Cache, found in the %systemroot%\System32\config\SECURITY file.
Generic credentials. You can view Website and Windows credentials by launching the Credential Manager (credwiz.exe).
Internet credentials. You can view Internet usernames and passwords in the Internet Control Panel (inetcpl.cpl). Run inetcpl.cpl, go to Content, scroll to Autocomplete, click Settings, and click on Manage Passwords.
When do Windows 10 cached domain credentials expire?
Unfortunately, Windows domain credentials don’t expire in the cache. Within Active Directory, expiration is set on the user object. But if the credential is still valid in Active Directory, the cached copy will still work.
It is possible to control how many credentials are cached using the group policy: Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Designing CyberSecurity | Weekly Blog Series
Designing and architecting security? Join our weekly conversation on what hackers can learn from artists and designers.
- Driving security forward with architecture principles
- Starting with empathy
- Making security about Ray-Bans not safety goggles
- Future-proofing security controls
How to reset Windows 10 credentials? How to remove Windows 10 credentials?
Active Directory credentials. Open the registry to HKEY_LOCAL_MACHINE\Security\Cache, grant your user account read/write access. Close and reopen the registry to have the access control take effect. Zeroing out the NL$x binary value will clear the cached credential.
Generic credentials. Open the Credential Manager (credwiz.exe to view Website and Windows credentials. Select and remove the passwords you wish to clear.
Internet credentials. Open the Internet Control Panel (inetcpl.cpl), go to Content, scroll to Autocomplete, click Settings, and click on Manage Passwords. Select and remove the passwords you wish to clear.
Outlook email. To view and clear Outlook passwords on Windows 10, first use the Credential Manager instructions above. Then, download the SaveCredentials.exe tool and follow the directions here.
Windows Live Essentials. To view and clear Windows Live Essentials passwords on Windows, first use the Credential Manager instructions above. Find the SSO_POP_Device. This credential provides Single Sign-On (SSO) access for the Post Office Protocol (POP) when accessing a variety of Microsoft email platforms (@hotmail.com, @msn.com, @outlook.com, etc).
Why bother clearing Windows 10 credentials?
The main reason people follow this article is to troubleshoot cached Windows credentials, Active Directory credentials, domain issues, or problems with apps like Internet Explorer and Outlook. Removing the passwords from Windows allows it to reset and fix authentication issues.
The other reason? Well, security. A common tactic from penetration testers to red teamers to criminals is to gain access to cached credentials. From there, they may be replayed to connect to IT systems, or cracked and reused as part of a larger attack. To prevent this, minimize the data stored on your computer and minimize the likelihood of it being stolen or copied.