Slashdot Mirror

← Back to Stories (view on slashdot.org)

Swiss Researchers Exploit Windows Password Flaw

Posted by timothy on from the sigh dept.

Bueller_007 writes "CNET is carrying an article about a new (albeit simplistic) method used to hack alphanumeric Windows passwords in a matter of seconds, rather than minutes. To blame is a 'weakness in Microsoft's method of encoding passwords.' According to the authors, the same method, when used on Mac OS X, Unix and Linux boxes, however, could require either 4,096 times more memory or 4,096 times longer." A few more details: Mister.de writes "As an example we have implemented an attack on MS-Windows password hashes. Using 1.4GB of data (two CD-ROMs) we can crack 99.9% of all alphanumerical passwords hashes (2 37 ) in 13.6 seconds whereas it takes 101 seconds with the current approach using distinguished points. We show that the gain could be even much higher depending on the parameters used. This was found at the Cryptography and Security Laboratory of the Swiss Federal Institute of Technology in Lausanne (EPFL)."

40 of 519 comments (clear)

  1. This is why... by mgcsinc · · Score: 5, Funny

    This is why I use Biopassword Perhaps their encryption method is just as insecure as microsoft's, but at least there aren't quite so many Swiss researchers trying to crack it...

    1. Re:This is why... by Robmonster · · Score: 3, Funny

      Security through Obscurity is the reason that many people think that Linux distros are inherently more secure than MS.

      --
      I have no sig yet I must scream.
    2. Re:This is why... by Charleton+Heston · · Score: 5, Funny

      I use plaintext. Granted, some people are working on cracking plaintext, but they are almost always in a 1st grade reading class and I ain't scared of them.

      --
      ======
      Get your stinking paws off me, you damned dirty ape!
    3. Re:This is why... by GodsMadClown · · Score: 3, Funny

      Havn't you heard? Win XP has raw sockets enabled. That's what's got Steve Gibson of GRC.com fame all hot and bothered. Take a look at http://grc.com/dos/intro.htm for a little healthy paranoia.

    4. Re:This is why... by Jason_says · · Score: 2, Funny

      Hell I've seen ones that all you have to do is take out the little battery and wham your in there.

    5. Re:This is why... by sharkey · · Score: 2, Funny
      404 File Not Found

      Come on, everybody knows that one.

      --

      --
      "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
  2. Well, by TedTschopp · · Score: 4, Funny

    I sure hope we aren't using Microsoft Technology for anything important like National Security? Cause that would suck!

    Please Advise, I don't know how to think about this story, I'm a Swiss-American.

    Ted

    --
    Fantasy remains a human right; we make in our measure and in our derivative mode... -- JRR Tolkien
  3. Surprise Surprise by falcon5768 · · Score: 2, Funny

    Microsoft's vulnerable, wow I didnt know??? Granted every OS on the planet is vulnerable given enough time and research into it. Now if someone would forward this little article to the Department of Homeland Security, maybe they might second guess their microsoft solution ;-).

    --

    "Slashdot, where telling the truth is overrated but lying is insightful."

  4. Yoddle-Aay-Hee-Hooo by ambisinistral · · Score: 5, Funny
    This post isn't by me, it is by some Swiss guy who hacked my /. password to make me look bad.

    --

    deserve's got nothing to do with it...

    1. Re:Yoddle-Aay-Hee-Hooo by alchemist68 · · Score: 2, Funny

      You are truly evil. You IMPLY that Slashdot is running on Borg Technology. Bad form ambisinistral, bad form. That would crush the hearts of all geeks alike. Hell, that would cause mass rioting.

      To Redmond we go! Every one click:

      http://www.microsoft.com/

      C'mon geeks, nerds, and dweebs UNITE. We can Slashdot the Borg and overtake the monopolistic opression we are so tired of battling.

  5. Re:Performance increase by Robmonster · · Score: 3, Funny

    If they ever invent a toilet door with password protection I'm sure those 100 seconds will come in VERY handy in an emergency.

    --
    I have no sig yet I must scream.
  6. Of course the Swiss were able to hack it... by JDRipper · · Score: 5, Funny

    They've got those great knives after all.

    --
    "You know Myra, some people might think you're cute. But me, I think you're one very large baked potato."
  7. I hope someone hacks my passwords at work by gorjusborg · · Score: 5, Funny

    I hope someone hacks my passwords at work and deletes this stinking code I'm debugging.

    Oh, and the backups too. Just point your password crackers to ...

    --
    If it's not one thing, it's Steve's Mother
    1. Re:I hope someone hacks my passwords at work by codexus · · Score: 4, Funny

      Don't worry your boss has probably printed the whole thing already and you'll just have to retype it all including all the bugs.

      --
      True warriors use the Klingon Google
  8. This week only by Ptahian · · Score: 4, Funny

    I smell a sale coming!

    New New NEW. Lower Prices! Krazy Bill is just GIVING these away. Come on down. He's Krazy Krazy KRAZY to license this software with these terms! Get yours TODAY!

  9. What The...? by tds67 · · Score: 4, Funny

    Why do I keep getting ads for watches and chocolate now?

  10. They *exploit* a Windows password flaw? by YetAnotherName · · Score: 3, Funny

    Sensational headline, don't you think Timothy? Swiss Researchers [i]exploited[/i] a password flaw?

    I guess you could argue they [i]exploited[/i] it in order to publish their research results, as much as a planetary scientist exploits images of Mars to publish a new theory on subsurface water.

  11. I've always taken Microsoft security... by wfberg · · Score: 3, Funny

    with a grain of salt.

    rimshot

    --
    SCO employee? Check out the bounty
  12. Woah! They better patch this! by Anonymous Coward · · Score: 1, Funny

    From a few minutes to a few seconds? I hope they can patch this somehow and get it back to a few minutes.

  13. Re:Scary stuff... by PaizuriTatsujin · · Score: 5, Funny

    What we need is no passwords at all and a midget sitting on everyone's desk guarding their computer.

    When that happens I'll feel safe

  14. I for one welcome our new Swiss Overlords!!! by Picass0 · · Score: 5, Funny

    13.6 seconds! Aren't swiss watches wunderful?

  15. Wow, less memory? by Nanite · · Score: 5, Funny

    Windows uses less memory to do this trick than Linux. Who knew Windows was so efficient at handling memory when being hacked?

    Nanite

    --
    God is real unless declared integer.
  16. Re:Scary stuff... by b!arg · · Score: 5, Funny

    Midget? No...Troll...and god knows we have enough of those around to take care of the demand. Maybe it'll solve our unemployment problem too.

    Before you can logon you must answer three questions...

    --

    Everybody dies frustrated and sad and that is beautiful
  17. Re:Performance increase by mikeophile · · Score: 4, Funny

    So since this exploit takes an average of 13.6 seconds, do users need to change thair passwords every 4 seconds?

  18. Company Memo: New security procedures. by barracg8 · · Score: 5, Funny
    All,

    As you know we have a company security policy based around frequently changing passwords, in order to keep our Windows network secure.

    Previously, as you are all no doubt aware, you were required to change your Windows passwords once every 90 seconds, since NT passwords can be cracked in 100 seconds flat.

    Due to recent developments in MS password cracking, we will now be requiring all employees to change their passwords once every 10 seconds, to ensure they remain secure.

    We hope this will not detract from productivity, and apologise for any inconvenience it does cause.

    thanks,
    Management

    1. Re:Company Memo: New security procedures. by superyooser · · Score: 2, Funny

      In related news, the stock price of 3M Inc., maker of Post-It (R) notes, jumped 30 points today.

  19. Re:Scary stuff... by Dorothy+86 · · Score: 1, Funny

    What is your name?
    What is your quest?
    What is the airspeed velocity of an unlaiden swalow?

    maybe these three perhaps?

    --
    Game Overdrive - Gaming News
  20. Dictionary Attack by ewn · · Score: 2, Funny

    Wow, these guys just invented the dictionary attack!

  21. Re:Performance increase by Surak · · Score: 2, Funny

    Yes. In fact, I'm adding that to the global password policies on my servers right now as I type this.

    The users'll complain, but we'll be secure from this exploit!

    --
    My journal has hot /. gossip.
  22. Re:Performance increase by M00TP01NT · · Score: 5, Funny

    Yes, and soon we'll be at a point where the password will be changing so fast you can run a brute-force attack with a static keyword!

  23. Re:With distributed computing, why bother? by rnd() · · Score: 3, Funny

    I can see it now. People calling tech support saying "I just got a haircut and now my computer says 'Invalid Passpicture'".

    --

    Amazing magic tricks

  24. Re:Performance increase by cioxx · · Score: 2, Funny

    Seems insecure compared to my job circa 1998. It was a traditional brick and mortar company sandwiched in between 2 dotcom startups on top and bottom floors. The management thought it would be an excellent idea to implement Orwellian concepts throught the damn place with magnetic cards which included access to restrooms and pretty much every room throughout the building. Few months later it turned out these fucks from HR were tracking employees who would take excessive breaks by going through the usage log checking against the ID.

    3-digit passes are a blessing compared to that nightmare.

  25. Re:How Linux can defeat Bill Gates and Micro$oft by palewhitemale · · Score: 1, Funny

    I hate my life....why do I even read the posts anymore....

  26. Re:Performance increase by Tackhead · · Score: 4, Funny
    > Solution:
    > 1.Wipe the pad clean.
    > 2.Wait a few hours.
    > 3.Blow chalk on it and brush gently.
    > 4.Note which 3 digits have chalk stuck to them.
    > 5.Try the six possible combinations.
    > 6.Bingo! You're an executive.

    Tried it. No chalk remaining on any of the four pads.

    > YMMV, depending on whether you have execs of the sweaty oily finger variety, or the scaly lizard species.

    Incidentally, what's the polite way of telling your boss he's got chalk on his nose, especially on a day when he seems to be real pissed off about something, but he won't say what's buggin' him? He's got a press conference in 20 minutes, and I don't know how to bring this up.

    "Mr. Valenti, you have chalk on your nose" seems too direct, don't you think?

  27. Re:Scary stuff... by maunleon · · Score: 3, Funny

    You have to guard on the network as well. So you could have a troll sitting on the router or switch.

    Or bridge..

    A Troll Bridge?

    Ha!

  28. Either Or by telstar · · Score: 2, Funny
    "According to the authors, the same method, when used on Mac OS X, Unix and Linux boxes, however, could require either 4,096 times more memory or 4,096 times longer."
    • Do we get to choose?
  29. simple solution.. by Anonymous Coward · · Score: 1, Funny

    "If your passwords consist of letters and numbers, beware." This is why I only use spaces in my passwords.
    Except for the really important ones.. I leave those null.

  30. Oh no! What about my PWLs! by dmccarty · · Score: 2, Funny

    Come on, this is just a bunch of anti-American FUD by the Swiss. It's widely known that the .pwl encryption method is the safest in the world!

    --
    Have fun: Join D.N.A. (National Dyslexics Association)
  31. Security Researchers recommend hash, LSD next? by shpoffo · · Score: 2, Funny

    In recent report, Swiss researchers avocated the use of "a good hash" in computer security matters. Quoted one researcher, David Dittrich; "...you can escalate your privilege and slowly move your way through the network. If you can get your hands on the hash, then game over." [emphasis added]

    With the recent wave of DMT experimentation in Silicon Valley, CA, US, governemnt agents are on the alert. U.S. Attorney General John Ashcorft may have stated "As computer specialists may not choose to consume psychoactive parts of nature, our Persecution Roadmap is unlikely to change.... unfortunately"

    At the time of writing, the Swiss government was on Swatch Internet Time, and could not be coordinated with for comment.

  32. Re:You forgot... by Flower · · Score: 2, Funny
    You forgot.

    Step 1.5.1 Stuff dounuts with laxatives before distributing them.

    Of course afterwards you're probably going to want to use a different bathroom afterwards...

    --
    I don't want knowledge. I want certainty. - Law, David Bowie