Slashdot Mirror

← Back to Stories (view on slashdot.org)

Swiss Researchers Exploit Windows Password Flaw

Posted by timothy on from the sigh dept.

Bueller_007 writes "CNET is carrying an article about a new (albeit simplistic) method used to hack alphanumeric Windows passwords in a matter of seconds, rather than minutes. To blame is a 'weakness in Microsoft's method of encoding passwords.' According to the authors, the same method, when used on Mac OS X, Unix and Linux boxes, however, could require either 4,096 times more memory or 4,096 times longer." A few more details: Mister.de writes "As an example we have implemented an attack on MS-Windows password hashes. Using 1.4GB of data (two CD-ROMs) we can crack 99.9% of all alphanumerical passwords hashes (2 37 ) in 13.6 seconds whereas it takes 101 seconds with the current approach using distinguished points. We show that the gain could be even much higher depending on the parameters used. This was found at the Cryptography and Security Laboratory of the Swiss Federal Institute of Technology in Lausanne (EPFL)."

8 of 519 comments (clear)

  1. Performance increase by levik · · Score: 5, Insightful
    THis sort of performance increase is only useful for Mission Impossible type movie spies... I mean come on - who can't wait 100 seconds???

    People are really running out of interesting stuff to "research", aren't they...

    --
    Ñ'
    1. Re:Performance increase by Marx_Mrvelous · · Score: 5, Insightful

      You obviously aren't a computer scientist (or a computer hacker). What they got was a power of ten increase (roughly). This is a significant improvement because it is not simply incremental. Look at it this way:
      Let's say it usually took 200 days to crack a password. A company could enforce a 90-day (3 month) requirement to change passwords, and a brute force technique would have roughly a 1-in-2 chance of getting a password in any given 90-day period. Now they increased it by a factor of 10.
      Now it takes 20 days to crack a password. If the company want to keep the same level of password security, users would have to change their passwords every 7 days!

      This is a pretty big issue.

      --

      Moderation: Put your hand inside the puppet head!
  2. I don't understand by Trelane,+the+Squire · · Score: 5, Insightful
    While an attacker would need administrator rights to a system to grab the file that contains the password hashes, the file is still valuable, said David Dittrich, a senior security researcher at University of Washington.
    if a hacker had administrator rights, wouldn't it already be game over? On the other hand, a 20 gb hack isn't extremely portable
  3. So? by ioErr · · Score: 5, Insightful

    13.6 seconds or 101 seconds doesn't make much difference, now does it? The real problem is still getting administrator access to the target computer in the first place.

  4. With distributed computing, why bother? by jeeves99 · · Score: 5, Insightful

    Cracking becomes easier if you have access to a distributed network. Parse the table into managable chunks and throw it out to 100 computers. While the time taken to crack the password might not scale down in a linear fashion [ie: time/(N computers)], it will most definately drop the crack time down to less than an hour for those computers with 12bit salts (4906*.6min= 41 hr, 41hr/100comps= 25 minutes).

    Even if the 12 bit salt for mac/linux/etc was increased in size, a scale up in the number of computers used would defeat this added protection. The trend in the comp world seems to be more connectivity between large numbers of computers. All it takes is one disgruntled folding@Home grad student out at stanford to break even the most stringent password.

    It seems that increasing the size of the salt would prevent the average script kiddie from breaking your password, but does nothing to alleviate the threat distributed computing presents. So what other options are there?

  5. Re:Gee... by ncc74656 · · Score: 5, Insightful
    I always thought there was something wrong with Microsofts password "encryption." Now it's confirmed.

    Why bother cracking NT (and Win2K/XP) passwords when you can just overwrite them? Boot from this floppy and you can change any local password (including the administrator). It's been useful on more than one occasion at work...when somebody quits or is fired, I can go in and retrieve everything in just a few minutes.

    That they're nearly as trivial to crack is somewhat disturbing...but given the ready availability of the password changer, it doesn't make Windows significantly less secure than it already is (hell, it can't get much less secure).

    --
    20 January 2017: the End of an Error.
  6. Re:No salt by Anonymous+Struct · · Score: 5, Insightful
    To their debit, most WinDesktops that I'm aware of end up as glorified single-user machines, and that user is also.... Admin. Finally build a decent security model, and then customers ignore it.

    I think the customers only ignore it because they've been bred on Win9x, which sort of casually asked if you felt like typing in a password, but didn't really care one way or the other if you actually did. You can't train people that passwords don't matter for 7 years and then expect them to start caring about security when you finally decide to implement it. So now we have a sea of internet users who don't know or care one whit about security all because they've been taught from the very beginning that all they ever have to do is plug it in, turn it on, and start browsing.

  7. Re:This is why... by enomar · · Score: 5, Insightful

    I read the parent post as, "Because MS uses security through obscurity, many people think that Linux distros are inherently more secure than MS." I think he meant that security through obscurity doesn't work very well.

    Building a lock that cannot be picked by a blind man is a lot easier (and less effective in the real world) than building a lock that cannot be picked by someone with the blueprints.

    --

    :wq