Slashdot Mirror

← Back to Stories (view on slashdot.org)

Swiss Researchers Exploit Windows Password Flaw

Posted by timothy on from the sigh dept.

Bueller_007 writes "CNET is carrying an article about a new (albeit simplistic) method used to hack alphanumeric Windows passwords in a matter of seconds, rather than minutes. To blame is a 'weakness in Microsoft's method of encoding passwords.' According to the authors, the same method, when used on Mac OS X, Unix and Linux boxes, however, could require either 4,096 times more memory or 4,096 times longer." A few more details: Mister.de writes "As an example we have implemented an attack on MS-Windows password hashes. Using 1.4GB of data (two CD-ROMs) we can crack 99.9% of all alphanumerical passwords hashes (2 37 ) in 13.6 seconds whereas it takes 101 seconds with the current approach using distinguished points. We show that the gain could be even much higher depending on the parameters used. This was found at the Cryptography and Security Laboratory of the Swiss Federal Institute of Technology in Lausanne (EPFL)."

4 of 519 comments (clear)

  1. physical access by MORTAR_COMBAT! · · Score: 4, Interesting

    Boot from this floppy

    Because this doesn't require physical access to the machine? Because now some l33t d00d from another country can get passwords?

    --
    MORTAR COMBAT!
  2. Re:I don't understand by whorfin · · Score: 4, Interesting

    The beauty is, consider these email virii applications of this...
    - Somebody reads an email with a simplified hack based on this embedded within it (don't need the whole dataset, you just reduce your hit rate)
    - They unwittingly send back the machine info and an admim-level password to the hacker. (where I work, all 'owners' have admin rights on their system).
    - From this, they can get admil-level access permanently, as well as a chance to download the full crack via a backdoor and get the network admin password, and from there, the whole network.

    --
    Laugh while you can, monkey-boy!
  3. Re:Only 4096 more time on Unix ? by pclminion · · Score: 4, Interesting
    I think they might be assuming a 12-bit salt added to the hash. This would make the hash dictionary 4096 times larger, since they would have to compute the hash of each password 4096 times (for each possible 12-bit salt value).

    If this is the case, it implies that Windows password hashes do not use salts. Now, I'm not claiming that salting makes the process secure (it doesn't), but it does make it orders of magnitude more intensive to compute a complete hash dictionary. At the expense of 12 bits per password (hell, use more if you want!) it seems worth it to use salts.

  4. UNIX uses 64 bits salt by phkamp · · Score: 5, Interesting
    The MD5 based password scrambler I wrote for FreeBSD in 1994 uses a 64 bit salt, and has subsequently been adopted by NetBSD, OpenBSD, Cisco GLIBC and pressumbably MAC OSX.

    There is no immediate future for a table driven attack on this algorithm (Which can be recognized by the '$1$...' prefix.

    HP-UX, Solaris and AIX, however still use the old 12 bit salted DES derived passwords.

    --
    Poul-Henning Kamp -- FreeBSD since before it was called that...