Swiss Researchers Exploit Windows Password Flaw

Bueller_007 writes "CNET is carrying an article about a new (albeit simplistic) method used to hack alphanumeric Windows passwords in a matter of seconds, rather than minutes. To blame is a 'weakness in Microsoft's method of encoding passwords.' According to the authors, the same method, when used on Mac OS X, Unix and Linux boxes, however, could require either 4,096 times more memory or 4,096 times longer." A few more details: Mister.de writes "As an example we have implemented an attack on MS-Windows password hashes. Using 1.4GB of data (two CD-ROMs) we can crack 99.9% of all alphanumerical passwords hashes (2 37 ) in 13.6 seconds whereas it takes 101 seconds with the current approach using distinguished points. We show that the gain could be even much higher depending on the parameters used. This was found at the Cryptography and Security Laboratory of the Swiss Federal Institute of Technology in Lausanne (EPFL)."

Gee...

[rekkanoryo]

I always thought there was something wrong with Microsofts password "encryption." Now it's confirmed.

Re:Well,

[setzman]

Apparently you didn't see this article...

Time for OSX, UNIX, Linux

[in7ane]

13.6sec * 4096 = 55705.6sec
= 928.4...min
= 15h 28min 25.6 sec

What hardware are they running this on (here is where someone replies RTFA). I would have hoped that it would take longer...

Nothing New Here

[akedia]

I've seen tools to crack Windows NT passwords for years now, most of them in the form of a Linux bootdisk (I keep one here, in case of emergency, break glass...)

Granted, this is different, as the Swiss in this article basically reverse-engineered the algorithms for password encryption, whereas all the bootdisk does is re-hash the registry entry containing the desired password.