Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ophcrack Says Your Password Is Insecure

Posted by CmdrTaco on from the something-to-play-with dept.

javipas writes "An insightful article at Jeff Atwood's Coding Horror reveals the power inside Ophcrack, an Open Source program that is capable of discovering virtually any password in Windows operating systems. The article explains how passwords get stored on Windows using hash functions, and how Ophcrack can generate immense tables of words and letter combinations that are compared to the password we want to obtain. The program is available in Windows, Mac OS and Linux, but be careful: the generated tables that Ophcrack uses are really big, and you should allow up to 15 Gbytes to store these tables."

17 of 249 comments (clear)

  1. There's no way they're getting my password! by eln · · Score: 4, Funny

    Ha, I've got these fools beat! I don't even USE a password on my Windows box. I'd like to see you try and crack MY password!

    1. Re:There's no way they're getting my password! by eln · · Score: 4, Funny

      norad:~# You may be able to crack it, but you're cheating. Clearly, working at NORAD you have access to ultra top-secret military-grade cryptographic techniques not available to your average cracker.
    2. Re:There's no way they're getting my password! by AuMatar · · Score: 3, Funny

      Given the government's computer security, I'm fairly sure NORAD *IS* available to the average hacker.

      --
      I still have more fans than freaks. WTF is wrong with you people?
    3. Re:There's no way they're getting my password! by StikyPad · · Score: 3, Funny

      More importantly, just like the bathroom, you generally need physical access to the machine (short of some remote exploit, trojan, rootkit, etc., in which case your password is irrelevant anyway). It's a well known axiom that if an attacker has physical access to a machine, all bets are off.

      --
      https://www.eff.org/https-everywhere
  2. So... by InvisblePinkUnicorn · · Score: 4, Funny

    So basically, if I want to find out the passwords on someone else's computer, I have to bring along a high capacity DVD's-worth of data as well? I might as well just pretend I'm their tech support and ask for the password.

    Back in the day, getting Windows passwords was as easy as opening a program from a floppy. That's how I got an A in Spanish class when the teacher challenged us to guess what his screensaver password was (the prize was an A for the year - dumb teacher).

    1. Re:So... by Anonymous Coward · · Score: 5, Funny

      Back in the day, getting Windows passwords was as easy as opening a program from a floppy. That's how I got an A in Spanish class when the teacher challenged us to guess what his screensaver password was But then, you didn't really guess his screensaver password. So no prize should have been given to you.

      (the prize was an A for the year - dumb teacher). Pretty dumb to give away grades, I agree. But, then, no one expects the Spanish algorithm!
  3. Couple things by BadAnalogyGuy · · Score: 5, Funny

    "Passwords should never be saved as plaintext"

    Tell that to /etc/passwd, bitch!

    Second, if you've computed all possible hash values for all possible character combinations, then it really doesn't matter what your password is, since you only have to have the input hash to the correct hash value. Since an infinite number of character strings map to a finite number of hash values, it is only a matter of building the tables before you can hack any system.

    Third, if your only defense against this type of attack is a single password, you're screwed.

    Fourth, if you are worried about this sort of attack and you still live with your parents, it's probably not really too critical that you implement heavy-duty, multiple-hardened points on your Gentoo system right now. You'll have plenty of time to implement that sort of security after you finish your current bag of Cheetos.

  4. First three entries in the table by HangingChad · · Score: 5, Funny

    (blank)

    password

    password1 That formula will crack 90% of Windows passwords out there. The remaining 10% are what the other 14.999999 GB in the table are for.

    --
    That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
    1. Re:First three entries in the table by Rob+T+Firefly · · Score: 4, Funny

      Amazing! That's the same password I have on my luggage!

      --
      Slashdot Burying Stories About Slashdot Media Owned
  5. Windows security.... by Mc1brew · · Score: 5, Funny

    Windows has a security feature it uses when a user attempts to create a 15Gb table called "crashing". This makes it extremely difficult to break in using the tool defined.....

  6. Re:secure password? by a_nonamiss · · Score: 2, Funny

    I once took the time (and CPU horsepower) to generate 64GB worth of rainbow tables. I must've done it wrong, though, because it didn't work on anything. I'll happily admit that I was just puttering around, and probably forgot to set some switch somewhere. Fortunately, I had a server that I didn't need for a couple weeks. :)

    --
    -Arthur
    Cave ne ante ullas catapultas ambules
  7. Re:Test ophcrack live. by tkw954 · · Score: 3, Funny

    Ophcrack live (CD) does not crack all windows passwords, only about 99%

    Can you please post a list of the remaining 1% and their hashes?

  8. Re:Test ophcrack live. by thePsychologist · · Score: 2, Funny

    When I took grade ten computer class for fun I made my password 115 characters (some sentence and the digits of pi), but once I forgot it the first time and had to retype it. The teacher became frustrated so he made me make it shorter.

    --
    "What lies behind us, and what lies before us are tiny matters compared to what lies within us." Ralph Waldo Emerson
  9. Re:Windows is SECURE by design. by Gazzonyx · · Score: 3, Funny
    If it's sitting on the desk, I open the box and short the CMOS for 3 seconds with its jumper, and then boot up and enter BIOS, which no longer has a password. I turn on USB and plug in my portable 80 gig drive which has all my tools. ;)


    Also, If it's windows 98, I can blue screen the thing with a con/con from the command line and hopefully you have the thing set to reboot on BSOD.

    --

    If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.

  10. Re:This is why two factor authentication is necess by SQLGuru · · Score: 4, Funny
    http://support.microsoft.com/kb/276304

    Or just force authentication against the MIT Kerberos domain.....

    Your password must be at least 18770 characters and cannot repeat any of your previous 30689 passwords. Please type a different password. Type a password that meets these requirements in both text boxes. Layne
  11. Re:Windows is insecure by design by Oktober+Sunset · · Score: 3, Funny

    either that or get grandpa to watch over your box with his 12 gauge day and night.

    --
    What if Tetris was invented by Nazis?
  12. Re:Test ophcrack live. by krbvroc1 · · Score: 3, Funny

    No, it just makes you very flexible, perhaps double jointed.