Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ophcrack Says Your Password Is Insecure

CmdrTaco posted more than 6 years ago | from the something-to-play-with dept.

Security 249

javipas writes "An insightful article at Jeff Atwood's Coding Horror reveals the power inside Ophcrack, an Open Source program that is capable of discovering virtually any password in Windows operating systems. The article explains how passwords get stored on Windows using hash functions, and how Ophcrack can generate immense tables of words and letter combinations that are compared to the password we want to obtain. The program is available in Windows, Mac OS and Linux, but be careful: the generated tables that Ophcrack uses are really big, and you should allow up to 15 Gbytes to store these tables."

cancel ×

249 comments

Sorry! There are no comments related to the filter you selected.

1st (-1, Troll)

Anonymous Coward | more than 6 years ago | (#20539643)

first bitches

Ass-crack (-1, Troll)

Anonymous Coward | more than 6 years ago | (#20539649)

Shashdot is the internet's ass-crack.

so what a pregenerated database ...wow. (1, Informative)

Anonymous Coward | more than 6 years ago | (#20539651)

pre generated codes...yawn... didn't we have the same sort of thing - a database of md5 hashes - like a over a decade ago?

It won't figure this one out (0)

Anonymous Coward | more than 6 years ago | (#20539655)

My new password is "1nm3ns3"

...generate inmense tables of words

Re:It won't figure this one out (1)

lottameez (816335) | more than 6 years ago | (#20540147)

Now that you've fixed the spelling error, perhaps ophcrack can help you with grammar too:

how Ophcrack is capable of generate immense tables of words

First U.S.A. Communist Party FP (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#20539667)


The revolution will be televised.

Link to 15GB Rainbow Table File? (1)

Shadow_139 (707786) | more than 6 years ago | (#20539669)

Anybody got a link to the 15GB rainbow table file?

Re:Link to 15GB Rainbow Table File? (1, Informative)

Anonymous Coward | more than 6 years ago | (#20539869)

Don't know about a 15gb table, but here's a 120gb LM-hash table:
http://silivrenion.com/rainbowtables/hak5_rtables_lm_all_1-7.torrent [silivrenion.com]

and that's from the guys at www.rainbowtables.org

There's no way they're getting my password! (4, Funny)

eln (21727) | more than 6 years ago | (#20539677)

Ha, I've got these fools beat! I don't even USE a password on my Windows box. I'd like to see you try and crack MY password!

Re:There's no way they're getting my password! (1)

rmadmin (532701) | more than 6 years ago | (#20539803)

Got it.

norad:~# echo "" | md5sum
68b329da9893e34099c7d8ad5cb9c940 -
norad:~#

Re:There's no way they're getting my password! (3, Informative)

Anonymous Coward | more than 6 years ago | (#20539895)

echo -n "" | md5
d41d8cd98f00b204e9800998ecf8427e

His password is nothing, not a newline.

Re:There's no way they're getting my password! (4, Funny)

eln (21727) | more than 6 years ago | (#20539985)

norad:~#
You may be able to crack it, but you're cheating. Clearly, working at NORAD you have access to ultra top-secret military-grade cryptographic techniques not available to your average cracker.

Re:There's no way they're getting my password! (0)

Anonymous Coward | more than 6 years ago | (#20540045)

Tsk.

% md5sum
<ctrl-d>
d41d8cd98f00b204e9800998ecf8427e -
%

Re:There's no way they're getting my password! (5, Informative)

pegr (46683) | more than 6 years ago | (#20540079)

Got it.

norad:~# echo "" | md5sum
68b329da9893e34099c7d8ad5cb9c940 -


Actually, it's:
Password:
LM Hash: AAD3B435B51404EEAAD3B435B51404EE
NT Hash: 31D6CFE0D16AE931B73C59D7E0C089C0

Windows password hashes are not MD5...

Brought to you by the "genhash" utility of the PassTheHash toolkit for Windows. (Google it, it's awesome.)

Re:There's no way they're getting my password! (1, Informative)

Anonymous Coward | more than 6 years ago | (#20541199)

Worse - Windows hashes are MD4! That's all that's needed [sourceforge.net] .

Re:There's no way they're getting my password! (0)

Anonymous Coward | more than 6 years ago | (#20539967)

I know this was meant as a farce, but technically speaking you can still crack a black password. A hash of a non value will still return a hash value.

Re:There's no way they're getting my password! (1, Insightful)

Anonymous Coward | more than 6 years ago | (#20539987)

I know it's a joke, but in Windows you cannot remotely connect to a passwordless account, so in that sense it actually is more secure.

Re:There's no way they're getting my password! (5, Interesting)

ceeam (39911) | more than 6 years ago | (#20539999)

You laugh but Windows indeed blocks some operations when no password is assigned. So - no password sometimes may be better than crackable password.

Re:There's no way they're getting my password! (1)

Tweekster (949766) | more than 6 years ago | (#20541069)

I just disable those restrictions.

My network isnt connected to the intertubes, so why cant i have a blank password for a remote desktop connection.

Re:There's no way they're getting my password! (1)

ZwJGR (1014973) | more than 6 years ago | (#20541211)

Just about the only operation blocked is network share authentication, and that is easy to enable with no password (Local Security Policies...).

IMO There is absolutely no point in having a login password for stand-alone machines as it is TRIVIAL to bypass with something as easy as a boot CD/floppy that just resets the passwords, as long as you have physical access to the box, (or just yank out the hard drive and remount somewhere else).
Passwords are only really useful for network-type arrangements or full-disk encryption if you're especially paranoid...

This is news? (3, Insightful)

Lord_Frederick (642312) | more than 6 years ago | (#20539711)

How long have rainbow tables been around? And hasn't just about everyone stopped storing LM hashes?

Re:This is news? (2, Interesting)

CJ145 (1110297) | more than 6 years ago | (#20539829)

People that know should have, however the majority of Windows users have no clue what a LM hash is. I use the ophcrack livecd almost daily to find lost passwords. Not once on a customer computer have I found LM disabled (Windows XP systems). I have not seen any vista PC's yet so I do not know what the default is on vista.

Re:This is news? (3, Interesting)

CastrTroy (595695) | more than 6 years ago | (#20540149)

I remember once I tried a Linux bootable floppy that was supposed to be able to reset windows passwords, from what I recall, by just changing the value of the hash. Anyway, the drive was NTFS, and something got screwed up, and the file was unreadable. What I ended up doing was copying the same file from a computer with a similar set up (both were college issued laptops), and use the other person's username as password to log in. Anybody with enough access to the machine can get past a simple password. And unless you keep all your important data on an encrypted partition, and use encrypted swap (can you do this in windows??), then you really don't have much protection, and shouldn't assume that the data on your computer is locked down.

Re:This is news? (1)

Anonymous Coward | more than 6 years ago | (#20540765)

then you really don't have much protection, and shouldn't assume that the data on your computer is locked down.

For black hat, there's still many advantages to knowing the password over just cracking the system.

Re:This is news? (1)

TheThiefMaster (992038) | more than 6 years ago | (#20541189)

I think it was '98 where you could just boot into dos and delete username.pwd to make it so that user "username" had no password.

Security at it's finest.

Re:This is news? (1)

maddskillz (207500) | more than 6 years ago | (#20540759)

I read that LM is disabled by default on Vista, but don't have a computer with it on to check it out on. It's about time!

Re:This is news? (0)

Anonymous Coward | more than 6 years ago | (#20541363)

I read that LM is disabled by default on Vista, but don't have a computer with it on to check it out on. It's about time!

One needs to keep in mind that Windows XP was released in 2001 so Microsoft fixed this issue in the next version of Windows. It just so happens that it took them ~5 years to release the next version.

So... (4, Funny)

InvisblePinkUnicorn (1126837) | more than 6 years ago | (#20539717)

So basically, if I want to find out the passwords on someone else's computer, I have to bring along a high capacity DVD's-worth of data as well? I might as well just pretend I'm their tech support and ask for the password.

Back in the day, getting Windows passwords was as easy as opening a program from a floppy. That's how I got an A in Spanish class when the teacher challenged us to guess what his screensaver password was (the prize was an A for the year - dumb teacher).

Re:So... (5, Insightful)

jayhawk88 (160512) | more than 6 years ago | (#20540095)

The point is that it can get the password in under 5 minutes. You could bring along something like L0pht, and then wait 2 weeks while it brute forces it.

Re:So... (1)

Poromenos1 (830658) | more than 6 years ago | (#20540735)

LC has supported Rainbow Tables since version 5 IIRC. Also, how would salts work on this? If you stored EVERY md5 hash (which is what rainbow tables do), then you've stored the salt as well. You'll just get "saltpassword" as the retrieved password, won't you?

Re:So... (1)

prockcore (543967) | more than 6 years ago | (#20541021)

If you stored EVERY md5 hash (which is what rainbow tables do)


That is certainly not what rainbow tables do. md5 is 128 bit. So to store every md5 hash would require 2^128 (3.4 × 10^38) * average_password_length bytes.

Re:So... (1)

ajs (35943) | more than 6 years ago | (#20540261)

Of course, on real systems you use a decent hashing algorithm that can handle a much larger space.

If you're interested in generating random, but secure passwords, I recommend my mkpasswd [ajs.com] program, which can securely generate random passwords, or generate very insecure passwords, and the entire spectrum in-between. It uses a regular-expression-like syntax for describing a possible password, and then generates random passwords that fit the pattern. For example, you can tell it that you want 10 completely random characters, or you can tell it that you want a nine-letter pseudo-word (something that's pronounceable as if it were English, but is not a valid word) followed by a random character. Obviously the second example is much less random than the first, and thus less secure against attacks. There are many, many knobs, as well as a large number of default patterns that can be randomly selected from if you're lazy (at the cost of some security, of course).

Re:So... (5, Funny)

Anonymous Coward | more than 6 years ago | (#20540485)

Back in the day, getting Windows passwords was as easy as opening a program from a floppy. That's how I got an A in Spanish class when the teacher challenged us to guess what his screensaver password was
But then, you didn't really guess his screensaver password. So no prize should have been given to you.

(the prize was an A for the year - dumb teacher).
Pretty dumb to give away grades, I agree. But, then, no one expects the Spanish algorithm!

Total non-story (1)

Sycraft-fu (314770) | more than 6 years ago | (#20541157)

It's just another rainbow tables program. Yay. It may be better written than some (I don't know I haven't tried it) but it isn't anything new. There are plenty of rainbow table generators out there. The only problem you discover is that they take a shitload of space to get useful results. Also, if you are dealing with LM hashes, as this program is, there's no need. A Core 2 Duo can easily break pretty much any LM password in 24 hours or less.

However it also isn't that useful since as of Windows Vista, Windows disables the storing of LM hashes by default (you can tell XP and 2000 to disable it too if you wish). As such LM tables are ineffective, there's no LM hashes to compare against. NTLM, being a much better hash, is not nearly so easy to generate a hash table for.

I dont like SALT!! (0, Offtopic)

Creepy Crawler (680178) | more than 6 years ago | (#20539723)

or Lobster Thermidor a Crevette with a mornay sauce served in a Provencale manner with shallots and aubergines garnished with truffle pate, brandy and with a fried egg on top and SALT!!

Windows is insecure by design (4, Insightful)

Anonymous Coward | more than 6 years ago | (#20539727)


if i have physical access to the machine and have a bootable CD i have no need to crack any passwords
i can just reset the password and carry on, i have a customer whos 9yo girl showed me how she "cracks" her brothers password by booting in safe mode and simply removing his password
luckliy in some ways iam glad windows is insecure, i can only imagine the hell a user (and MS) would go through when you tell them that their entire photo/music collection is toast because they forgot their 21 random character hard to remember password

dont blame the user blame the whole crappy password concept

Re:Windows is insecure by design (4, Informative)

eln (21727) | more than 6 years ago | (#20540033)

if i have physical access to the machine and have a bootable CD i have no need to crack any passwords
i can just reset the password and carry on,
You can do this with a Linux box as well, as well as practically any other system, so I'm not sure what your point is here.

Physical access to a box pretty much means you have root access to that box. This is why physical security is such an important part of overall system security.

Re:Windows is insecure by design (1)

neoform (551705) | more than 6 years ago | (#20541123)

I'd say it just highlights the need/usefulness of cryptography.

People think having a password on their box's login screen means their information is somehow 'safe'. Heavy encryption is the only way to keep your stuff safe.

Re:Windows is insecure by design (0)

Anonymous Coward | more than 6 years ago | (#20541311)

The point is you can find out people's passwords very quickly either with a bootable or launched .exe . Then, you can log in using their name without them knowing - even at another terminal. Also, since people tend to use the same password for other services, it makes it easier to get into other parts of their lives.

Re:Windows is insecure by design (0, Troll)

baggins2001 (697667) | more than 6 years ago | (#20540801)

I don't really care about this issue with linux. Because zero of my users know how to do this with linux. But MS advertises this as a feature and by god people around here want to be as secure as possible. God forbid someone should stubble on the porn they are storing on their computer. But occassionally they will encrypt something really important and just go, well if I forget it the IT guy can get it back.

We don't have bitlocker on any of our systems, but I'm sure we will in the next 3 months. I haven't even looked at it, but I am concerned that it may be too secure for the users own good.

Windows is SECURE by design. (1)

Zapped.Info (1113711) | more than 6 years ago | (#20541071)

What are you talking about here? Windows 98? So tell me...You walk up to my computer console, but you don't see the computer. The keyboard is wirelessly connected to it and the monitor cable goes up into the ceiling, but somehow you manage to locate my computer, by following the monitor cable and you discover my computer is locked in a steel rack-cabinet, how do you plan on hacking it? Ok...let me make it simplier...my computer is on the desk, I don't have any devices you can boot from on the computer, because I boot from the network. I have turned off USB and other access points via the bios, which I have locked with a strong password. How is it the 9 year old is going to hack my computer? Oh...wait...even simplier....I setup a strong password in my bios that will be required at power-on...exactly how was it you were going to hack that again? A strong password doesn't have to be difficult to remember...for example: iC-UR~N~ED-ot

Re:Windows is SECURE by design. (1)

hax0r_this (1073148) | more than 6 years ago | (#20541225)

Ah, thanks, I've been looking for a good secure password to use on my bank account.

secure password? (-1, Redundant)

gad_zuki! (70830) | more than 6 years ago | (#20539729)

From the linked blog: "How fast? It can crack the password "Fgpyyih804423" in 160 seconds. Most people would consider that password fairly secure."

Sorry Jeff, but thats a shit password. If I remember correctly NT drop anything after the first 8 characters so the password is actually "Fgpyyih8" You have one uppercase letter in there and one number. That's terrible. Where are your characters like !@#$%^&*()-_+ or extended ascii stuff? Why are you starting with a capitalized letter?

I used the CD version of ophtcrack and played with the larger 2+ gig rainbow table assortment and found it pretty weak, if not useless, against a reasonable password policy.

Re:secure password? (0)

Anonymous Coward | more than 6 years ago | (#20540073)

The key phrase in that sentence is "Most people" as in everyday users, and not security professionals and clued-in sysadmins. You know, the non-technical people who may have relied on Microsoft's password checker to tell them that their shit password is "strong" even though it could be cracked in 160 seconds.

Re:secure password? (2, Insightful)

woodhouse (625329) | more than 6 years ago | (#20540109)

>If I remember correctly...

Is this another way of saying "I'm about to spew forth a load of FUD".

I guess if it's anti-microsoft FUD, it'll get modded up, right.

Re:secure password? (2, Insightful)

Penguinisto (415985) | more than 6 years ago | (#20540133)

Re: NT:

That may have easily been true for NT 4.0, but (IIRC) Win2k and later stretches 'em out a lot more than 8 chars, esp. with AD password policies turned on. (No, not defending 'doze per se, but it simply doesn't parse IMHO).

But then, NT 4.0 once let you have perfect access to its SAM registry keys by simply letting at.exe open regedt32 for you.

(PS: If it helps, I do agree w/ you perfectly that that's a pretty crappy password.)

/P

Re:secure password? (2, Informative)

pegr (46683) | more than 6 years ago | (#20540171)

If I remember correctly NT drop anything after the first 8 characters so the password is actually "Fgpyyih8"
 
You do not remember correctly. LM hashes are created by hashing the first seven characters and the second seven characters, and truncating the hashes together. Yes, instead of having to brute force one fourteen character password, you have to brute two seven character passwords, a much easier proposition.

The hashes are created by using DES56 on the password chunks with a known key. In practice, I've used a DVD with rainbow tables and retrieved 99%+ successfully. For those I need 100%, I have a USB drive with a complete keyspace set of rainbow tables. Works everytime...

Re:secure password? (2, Funny)

a_nonamiss (743253) | more than 6 years ago | (#20540179)

I once took the time (and CPU horsepower) to generate 64GB worth of rainbow tables. I must've done it wrong, though, because it didn't work on anything. I'll happily admit that I was just puttering around, and probably forgot to set some switch somewhere. Fortunately, I had a server that I didn't need for a couple weeks. :)

It's not as simplistic as all that. (2, Insightful)

Medievalist (16032) | more than 6 years ago | (#20540325)

From the linked blog: "How fast? It can crack the password "Fgpyyih804423" in 160 seconds. Most people would consider that password fairly secure."
Sorry Jeff, but thats a shit password. If I remember correctly NT drop anything after the first 8 characters so the password is actually "Fgpyyih8" You have one uppercase letter in there and one number. That's terrible. Where are your characters like !@#$%^&*()-_+ or extended ascii stuff? Why are you starting with a capitalized letter?
Leaving aside your incorrect remembrance of the NT LM hash algorithm, what makes you think that having funny characters, more than one uppercase, and more than one number increases your security?

Is 53cr3TPa55W@rD a better password than Fgpyyih804423? Why?

It's not a trick question. Can you demonstrate that real security is improved by having a secret string conform to a non-secret policy? Are you sure you haven't got any unexamined assumptions in your reasoning?

You also should think twice about allowing commonly used metacharacters in passwords - dollar signs and asterisks carry some risks, for example, that should be probably be quantified within your computing environment.

Re:secure password? (3, Informative)

zlogic (892404) | more than 6 years ago | (#20540507)

LM hashes split passwords in 8-letter chunks, and for each of them:
1) the last symbol is removed, so the chunk becomes a 7-character password
2) the password is uppercased (yeah, that's dumb)
and then hashes are calculated for these chunks.
BOTH the LM and NTLM (a much more secure hash) hashes are stored in the registry.
So to get a typical 8-character password, you only need to guess the first 7 characters in uppercase.
After that the more secure NTLM hash is used to guess the case of each character and the eighth character which is missing from LM.
This means that guessing a 16-character password takes at most twice the time than for a 8-char, and not something like 40^8 times as much.

More info here: http://en.wikipedia.org/wiki/LM_hash [wikipedia.org]

Re:secure password? (1)

secPM_MS (1081961) | more than 6 years ago | (#20541063)

The LM hash is a old legacy security technology, ~ 20 years old, and like the crypto of its day, single key DES and 384 bit RSA, is weak. It is off by default in modern Microsoft products, where the more secure NTLMv2 is preferred. If you don't know what your policy is, simply use 15 character or larger passwords. The larger passwords disable the LM hash functionality, forcing movement to NTLM. If you use mixed case and add in numbers and special characters, the resulting large passwords are quite resistant to rainbow tables. My passwords are typically ~ 18 characters long. Cracking them with a cracker is goign to be rather expensive.

Re:secure password? (0)

Anonymous Coward | more than 6 years ago | (#20541399)

>Sorry Jeff, but thats a shit password. If I remember correctly NT drop anything after the first 8 characters so the password is actually

Actually, Unix DES-56 truncated it to 8. But we all use a Blowfish one nowadays (minus the fedora folks who still have not managed to update their glibc...).

Couple things (5, Funny)

BadAnalogyGuy (945258) | more than 6 years ago | (#20539737)

"Passwords should never be saved as plaintext"

Tell that to /etc/passwd, bitch!

Second, if you've computed all possible hash values for all possible character combinations, then it really doesn't matter what your password is, since you only have to have the input hash to the correct hash value. Since an infinite number of character strings map to a finite number of hash values, it is only a matter of building the tables before you can hack any system.

Third, if your only defense against this type of attack is a single password, you're screwed.

Fourth, if you are worried about this sort of attack and you still live with your parents, it's probably not really too critical that you implement heavy-duty, multiple-hardened points on your Gentoo system right now. You'll have plenty of time to implement that sort of security after you finish your current bag of Cheetos.

Re:Couple things (1)

m50d (797211) | more than 6 years ago | (#20539917)

Second, if you've computed all possible hash values for all possible character combinations, then it really doesn't matter what your password is, since you only have to have the input hash to the correct hash value. Since an infinite number of character strings map to a finite number of hash values, it is only a matter of building the tables before you can hack any system.

If passwords are salted, then you need to build tables for all possible salts as well as all character combinations, i.e. 2^128 times as much data, or more than 10^39 bytes.

Re:Couple things (1)

PPH (736903) | more than 6 years ago | (#20540353)

Passwords should never be saved as plaintext"

Tell that to /etc/passwd, bitch!

Hmm. There are no passwords (hashes or otherwise) in my /etc/password file.

Re:Couple things (1)

everphilski (877346) | more than 6 years ago | (#20540455)

before /etc/shadow, /etc/passwd held (scrambled) passwords, visible to any user on the machine.

Re:Couple things (1)

zeromorph (1009305) | more than 6 years ago | (#20540711)

Right, but which distribution still saves passwords in /etc/passwd? Name one, I don't know of any.

Re:Couple things (1, Insightful)

everphilski (877346) | more than 6 years ago | (#20541145)

None that I was aware of, but I don't think that was GP's point. He was quoting the "Passwords are never stored in plaintext. At least they shouldn't be, unless you're building the world's most insecure system using the world's most naïve programmers." from the article. Which was at one time true for Windows (? or were they referring solely to apps?) but was also at one time true for Linux.

Re:Couple things (1)

blhack (921171) | more than 6 years ago | (#20540881)

Passwords should never be saved as plaintext"

        Tell that to /etc/passwd, bitch!

Hmm. There are no passwords (hashes or otherwise) in my /etc/password file.
You fail at funny. The fact that /etc/passwd hasn't contained password data for YEARS is funny because every newbie linux user who downloaded "how to hack.txt" and read that using linux will turn them into a cr4ck1ng GOD finds /etc/passwd and freaks out so hard that they almost knock that two liter of generic Dr. Pepper all over moms carpet every time they find it.

Wow that is a long sentance, am i writing EULAs or is the the 18th century?

15GB isn't large enough (0)

Anonymous Coward | more than 6 years ago | (#20539739)

15GB isn't large enough to handle the possible combinations...

Aside from the fact that you need access to those Hashes in the first place...

Test ophcrack live. (3, Informative)

realdodgeman (1113225) | more than 6 years ago | (#20539765)

Ophcrack live (CD) does not crack all windows passwords, only about 99%. Still it uses only 20 minutes and can crack passwords up to 14 characters, while running from a bootable CD. And it is horrifying how few windows sysadmins who know about this...

Re:Test ophcrack live. (3, Insightful)

gad_zuki! (70830) | more than 6 years ago | (#20540105)

First off, it certainly does not crack 99% of passwords. A reasonable password policy means it wont crack anything. Its a 700 meg CD. Its very limited. I've seen it fail on some pretty basic stuff. Esentially toss in a !@#$%^&*()_-{};',.? and its screwed.

>And it is horrifying how few windows sysadmins who know about this...

Well, they should be asking "Why are my PCs set up to let the end user boot a CD?" Or "Why do malicious users have physical access to our machines." With physical access youre pretty much sunk. Someone could moutn ntfs, write to the registry where its stores your admin password, and set it to null. I dont care what OS you use, physical access usually means trouble. Heck, if my portable tools cant crack it, I'll just take the hard drive home and work on it at my leisure.

Re:Test ophcrack live. (4, Insightful)

realdodgeman (1113225) | more than 6 years ago | (#20540243)

It does crack 99% of used passwords, not 99% of theoretical passwords.

Re:Test ophcrack live. (1)

Tim C (15259) | more than 6 years ago | (#20540385)

If you're going to be pedantic, it cracks 99% of passwords used on the systems on which it has been used and data is available.

Re:Test ophcrack live. (0)

Anonymous Coward | more than 6 years ago | (#20540413)

Well, they should be asking "Why are my PCs set up to let the end user boot a CD?" Or "Why do malicious users have physical access to our machines." With physical access youre pretty much sunk. Someone could moutn ntfs, write to the registry where its stores your admin password, and set it to null. I dont care what OS you use, physical access usually means trouble. Heck, if my portable tools cant crack it, I'll just take the hard drive home and work on it at my leisure.

welcome to the real world. Malicious users can easily access your companies PC's. Simply get in the building. Most places hire really low quality security personell, dress up as a copier tech and most done even notice you, So many copier techs have Laptops today I can jack in at your copier/printer and start cracking Window Domain passwords and sniffing traffic without you even having a clue.

Do I need to get in and have more fun? maintaince crew or cleaning crew, start by installing hardware keyloggers. A decent Malicious user will either build them for about $6.00 each or if it's a high paying job will gladly spend $60.00 each on the usb ones with 2=4 meg of storage. install, wait a week, go and retrieve them. I now own your whole network. Be sure to install one on key users that look like they might be trouble for IT and you get IT and admin passwords. (Hint, receptionist and sales will be your target to get IT passwords easily)

Problem is Most MS admins are hired based on certifications and not experience. Most of the MCSE's I know do not even look at important info like this and go "something like that is possible?" These are not highly trained professionals, they are basic understanding individuals because companies cant afford to pay for highly trained professionals.

I wrote a keylogger for the company just today to gather evidence on an employee. It took me 35 minutes in C and even hides it's self very well and the current virusscanners and anti malware does not see it. The other It admins here at the company are like "OMG! you did that that fast! HOW!"

Most admins barely know how the computers operate.

Re:Test ophcrack live. (3, Funny)

tkw954 (709413) | more than 6 years ago | (#20540245)

Ophcrack live (CD) does not crack all windows passwords, only about 99%

Can you please post a list of the remaining 1% and their hashes?

special chars (2, Insightful)

Anonymous Coward | more than 6 years ago | (#20539773)

And that's exactly the reason why I prefer using passwords like: k|$$mY/\rs3

Re:special chars (1)

allthingscode (642676) | more than 6 years ago | (#20539943)

The fun part about this is, I know of some password systems that prevent you from using special characters. No idea why.

Special characters are BAD for password security (1, Insightful)

Anonymous Coward | more than 6 years ago | (#20540289)

That is actually still a very bad idea from a brute force attack perspective.

Most good brute force attacks will focus on chaining words together and permutating all the 1337speak versions of the passwords. An example is John The Ripper which is rule-based and will therefore crack based on the probability that two characters will be next to each other... and a whole stack of interesting and complicated rules. It can work around deliberate spelling errors and random characters inserted in the middle as well.

Seeing as most IT admins pick dictionary passphrases and convert them to 1337speak, the approach I mentioned above can be VERY fast & effective.

The other problem is that out of the character set (a-z,A-Z,0-9,punctuation) you are using far more punctuation symbols and numbers than what would be expected in a purely random password. Using this knowledge, you can dramatically decrease the brute force cracking time.

I'm surprised people still use passwords. People need to get off their asses and setup public key cryptography for all their authentication.

Or at the very least, turn off LanManager hashes from being stored in the SAM database on the Windows machine (and also disable all protocols which aren't NTLMv2).

First three entries in the table (5, Funny)

HangingChad (677530) | more than 6 years ago | (#20539783)

(blank)

password

password1 That formula will crack 90% of Windows passwords out there. The remaining 10% are what the other 14.999999 GB in the table are for.

Re:First three entries in the table (4, Funny)

Rob T Firefly (844560) | more than 6 years ago | (#20539935)

Amazing! That's the same password I have on my luggage!

Re:First three entries in the table (1)

InvisblePinkUnicorn (1126837) | more than 6 years ago | (#20540997)

"Amazing! That's the same password I have on my luggage!"

Me too! My password is *blank* since I use a key and lock on my luggage.

Re:First three entries in the table (1)

TheThiefMaster (992038) | more than 6 years ago | (#20541263)

Don't forget *SameAsUsername*.

Things to note (2, Interesting)

nsanders (208050) | more than 6 years ago | (#20539851)

The title is a bit of a stretch. Some simple techniques can help protect your self from these attacks. Using special characters will greatly increase the strength of your password, since the rainbow set for ALL characters is 64GB in size. Also, a LONG password, even of simple word can increase the complexity due to its length. Something as simple as my!dear!aunt!sally would be far stronger than 1pass!

Some additional info on this topic can be seen here: http://druid.caughq.org/papers/Mnemonic-Password-Formulas.pdf [caughq.org]

Windows security.... (5, Funny)

Mc1brew (1135437) | more than 6 years ago | (#20539859)

Windows has a security feature it uses when a user attempts to create a 15Gb table called "crashing". This makes it extremely difficult to break in using the tool defined.....

WHO THE PHUCK TAG THIS ARTICLE AS ... (1, Offtopic)

soccer_Dude88888 (1043938) | more than 6 years ago | (#20539893)

"Saltmakeseverythingbetter"...

WHEN SOMEONE HAD TO SPEND ONE NIGHT IN JAIL because he put too much salt on a burger?

http://www.msnbc.msn.com/id/20677230/?GT1=10357 [msn.com]

DEATH TO FASCISM (0)

Anonymous Coward | more than 6 years ago | (#20540363)

In Soviet Russia, you eat hamburger,

In Fascist Amerika, hamburger eats you!

Of course it worked! (1)

Spy der Mann (805235) | more than 6 years ago | (#20540587)

Burger without salt = anybody can mug you for your money
Burger WITH salt = You have a full security team recording who comes to visit you, and you have this barrier of protection with reinforced steel bars! PLUS - you have the right to make a call!

See? With salt it's much more secure! :D

Salting Your Hashes (1)

bjackson1 (953136) | more than 6 years ago | (#20540791)

They are referring to the encryption technique of salting the hashes:

Salts also help protect against rainbow tables as they, in effect, extend the length and potentially the complexity of the password. If the rainbow tables do not have passwords matching the length (e.g. 8 bytes password, and 2 bytes salt, is effectively a 10 byte password) and complexity (non-alphanumeric salt increases the complexity of strictly alphanumeric passwords) of the salted password, then the password will not be found. If found, one will have to remove the salt from the password before it can be used.
Shamelessly quoting: http://en.wikipedia.org/wiki/Salt_(cryptography) [wikipedia.org]

Translation Manual not included (1)

drrck (959788) | more than 6 years ago | (#20539909)

I don't speak broken English. Can someone translate TFS for me?

Re:Translation Manual not included (1)

Cracked Pottery (947450) | more than 6 years ago | (#20540181)

I think it means something like Too bad fool, shucks.

Careful? (1, Insightful)

miguel (7116) | more than 6 years ago | (#20539913)

"but be careful: the generated tables that Ophcrack uses are really big, and you should need up to 15 Gbytes to store these tables."


Since when 15 gigs were considered "really big"?

Aren't people at conferences handing out USB sticks as schwag with 493424 gigs these days in exchange for your business card?

Re:Careful? (1)

BlackSnake112 (912158) | more than 6 years ago | (#20540543)

"Aren't people at conferences handing out USB sticks as schwag with 493424 gigs these days in exchange for your business card?"

Please let me know what conferences are handing out USB sticks that are 493,424 Gigs in size! I can only find 16GB USB sticks available.

Editors at it again... (0, Troll)

lixee (863589) | more than 6 years ago | (#20539919)

An insightful article at Jeff Atwood's Coding Horror reveals the power inside Ophcrack, an Open Source program that is capable of discover virtually any password in Windows operating systems.
Please CmdrTaco, do your job.

Re:Editors at it again... (1)

bhima (46039) | more than 6 years ago | (#20540783)

Slashdot has no editors.

Only copyists.

Lousy password - no dashes or underscores (0)

Anonymous Coward | more than 6 years ago | (#20539959)

Put a few non-numbers and non-letters in the password. That short 160 second breaking time will balloon up very quickly.

This is why two factor authentication is necessary (3, Informative)

colinmcnamara (1152427) | more than 6 years ago | (#20540043)

This is a prime example of the need for a multi layered security model for authentication and authorization of your systems. There are many vendors that supply two factor authentication methods (RSA being the most well known) that provide for one time passwords. Techniques like this effectively mitigate the risk of a user account compromised by use of a hash table like this. BTW, this is nothing new. Rainbow tables have been out for ages. --Colin

Re:This is why two factor authentication is necess (4, Interesting)

RingDev (879105) | more than 6 years ago | (#20540311)

Or simply require your users to have passwords at least 15 characters long. There was an article out of MS a year or so ago about how the "password" is dead and that "pass phrases" will take over. Not a very well written article, but it did go over the weaknesses of short passwords, hashes, and rainbow files. They are essentially the same thing, only pass phrases are longer... much longer. Instead of having to remember "HYjK))w!x%" (which, if LM Hashed, can be cracked by a rainbow file in short order) you can remember "This is the passworrd for my new computerr". No one is going to carry a 5 terrabyte rainbow file around to try to crack a password that long. And brute force would take years. Given a few spelling mistakes and a dictionary attack will fail.

-Rick

Windows passwords Secure? (5, Informative)

nick13245 (681899) | more than 6 years ago | (#20540115)

First of all, ophcrack only comes with alpha-numeric tables for LM hashes. If you have special characters in your password, you'll have to generate your own table, which takes a very long time, and a lot of hard drive space. Ophcrack does not have the ability to generate Rainbow tables as the article suggest... Second of all, Ophcrack only works well against LM hashes, because with LM hashes, passwords are split into 7 byte halves, then hashed. So you only have to have tables that go up to 7 characters with LM hashes. If you disable LM hashes on your Windows box, and use NTLM hashes, the entire password is hashed, and is not split up. So if you pick a good password, with special characters, that's fairly long, it will be pretty much impossible to crack if your using NTLM only. Even with rainbow tables... The problem is Windows XP (by default) stores passwords as LM and NTLM hashes. So if an attacker can get the LM hashes, they can crack your password easily. You can hack the registry and keep Windows from storing LM hashes. See http://support.microsoft.com/kb/299656 [microsoft.com]

In other words... (1)

Spy der Mann (805235) | more than 6 years ago | (#20540263)

you're telling me that my Hotmail or Yahoo! passwords are much more difficult to crack than the Windows one?

Jeff Atwood is a hack (1)

Nick of NSTime (597712) | more than 6 years ago | (#20540287)

No pun intended.

Not MY password! (1)

GabeN (1154469) | more than 6 years ago | (#20540375)

You twits! Nobody will ever find out my password!

Rainbow Tables anyone? (1)

sat1308 (784251) | more than 6 years ago | (#20540399)

So why is this news? Haven't Rainbow Tables been around for several years now? I remember I was looking into them when I wanted to crack my high school network admin's password (turns out I didn't need to, it was 3 characters long).

There's no need to crack the password (4, Interesting)

hernano (1154471) | more than 6 years ago | (#20540503)

Hi, There's no need to crack the LM&NT hashes of a password, you can use the hash directly on windows using this tool: http://oss.coresecurity.com/projects/pshtoolkit.htm [coresecurity.com] basically you can impersonate on your own windows machine any user if you have the hash, and then use your Windows machine to authenticate to services using that user's credentials. There's no need to know the cleartext password, unless you explicitly want to know the cleartext password to test it on other services that do not use NTLM authentication.

Re:There's no need to crack the password (1)

archen (447353) | more than 6 years ago | (#20541151)

You know, I was sort of worried about all of this stuff at first, but it's been well known that windows stores lanman hashes for a while now, and you can force NT hashes by using a long enough password. So I figured this is really all old news.

But thankfully you've managed to instill that paranoia back in me. Thanks dude =P

who cares (1)

stenn (1086563) | more than 6 years ago | (#20540525)

if you are already on the local box, then install a keylogger.. why bother trying to crack a database?

I smell a dupe ... (0)

Anonymous Coward | more than 6 years ago | (#20540811)

power inside l0phtcrack ...

there, fixed that for ya. This was news in 1999, y'all. Seriously, this story is proof that CmdrTaco is posting stories to troll.

3,735,928,559 articles on Slashdot, and "news" is a decade-old dupe.

Already in Debian (1)

paulproteus (112149) | more than 6 years ago | (#20540831)

Just a heads-up to those looking to install it easily: This program is already in Debian, thanks to the work of Adam Cécile (Le_Vert). You can see it on the packages page at http://packages.debian.org/lenny/ophcrack [debian.org] .

Big deal (1)

TheLink (130905) | more than 6 years ago | (#20541155)

Actually this doesn't mean you should panic and start using difficult passwords for windows.

This just means you shouldn't use the same passwords for windows as you do for other stuff.

If someone can successfully run 0phcrack on your system (or its lanman hashes) it means they're already in, and they probably already have access to the data they want (can install rootkits, keyloggers etc).

It's laughable to think someone is going to physically bring it to your machine and _bother_ using it without your cooperation. Might as well just boot the "Offline NT Password & Registry Editor" disk.

If the "rules" are no reboot then it's far easier to plug in a USB or firewire device and instantly take over your system.

A cleaner could also stick in a hardware keylogger whilst being so nice as to clean the crud from your keyboard.

Being worried about this is like being worried that someone in your house could take photos of your keys, and make duplicates.

On that subject, if a real snoop is targeting you, with all those high res cameras available, they could in theory take pictures of your keys when they are visible e.g. just before you use them (or if you dangle them about somewhere, on your person, or even in the house but visible from outside) and then get in later with no fuss - no need for the lockpick crap or even bumpkey stuff (bumpkeys don't work with certain sort of locks).

Burglars will just break in.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>