Slashdot Mirror


Ophcrack Says Your Password Is Insecure

javipas writes "An insightful article at Jeff Atwood's Coding Horror reveals the power inside Ophcrack, an Open Source program that is capable of discovering virtually any password in Windows operating systems. The article explains how passwords get stored on Windows using hash functions, and how Ophcrack can generate immense tables of words and letter combinations that are compared to the password we want to obtain. The program is available in Windows, Mac OS and Linux, but be careful: the generated tables that Ophcrack uses are really big, and you should allow up to 15 Gbytes to store these tables."

9 of 249 comments (clear)

  1. There's no way they're getting my password! by eln · · Score: 4, Funny

    Ha, I've got these fools beat! I don't even USE a password on my Windows box. I'd like to see you try and crack MY password!

    1. Re:There's no way they're getting my password! by eln · · Score: 4, Funny

      norad:~# You may be able to crack it, but you're cheating. Clearly, working at NORAD you have access to ultra top-secret military-grade cryptographic techniques not available to your average cracker.
  2. So... by InvisblePinkUnicorn · · Score: 4, Funny

    So basically, if I want to find out the passwords on someone else's computer, I have to bring along a high capacity DVD's-worth of data as well? I might as well just pretend I'm their tech support and ask for the password.

    Back in the day, getting Windows passwords was as easy as opening a program from a floppy. That's how I got an A in Spanish class when the teacher challenged us to guess what his screensaver password was (the prize was an A for the year - dumb teacher).

    1. Re:So... by Anonymous Coward · · Score: 5, Funny

      Back in the day, getting Windows passwords was as easy as opening a program from a floppy. That's how I got an A in Spanish class when the teacher challenged us to guess what his screensaver password was But then, you didn't really guess his screensaver password. So no prize should have been given to you.

      (the prize was an A for the year - dumb teacher). Pretty dumb to give away grades, I agree. But, then, no one expects the Spanish algorithm!
  3. Couple things by BadAnalogyGuy · · Score: 5, Funny

    "Passwords should never be saved as plaintext"

    Tell that to /etc/passwd, bitch!

    Second, if you've computed all possible hash values for all possible character combinations, then it really doesn't matter what your password is, since you only have to have the input hash to the correct hash value. Since an infinite number of character strings map to a finite number of hash values, it is only a matter of building the tables before you can hack any system.

    Third, if your only defense against this type of attack is a single password, you're screwed.

    Fourth, if you are worried about this sort of attack and you still live with your parents, it's probably not really too critical that you implement heavy-duty, multiple-hardened points on your Gentoo system right now. You'll have plenty of time to implement that sort of security after you finish your current bag of Cheetos.

  4. First three entries in the table by HangingChad · · Score: 5, Funny

    (blank)

    password

    password1 That formula will crack 90% of Windows passwords out there. The remaining 10% are what the other 14.999999 GB in the table are for.

    --
    That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
    1. Re:First three entries in the table by Rob+T+Firefly · · Score: 4, Funny

      Amazing! That's the same password I have on my luggage!

  5. Windows security.... by Mc1brew · · Score: 5, Funny

    Windows has a security feature it uses when a user attempts to create a 15Gb table called "crashing". This makes it extremely difficult to break in using the tool defined.....

  6. Re:This is why two factor authentication is necess by SQLGuru · · Score: 4, Funny
    http://support.microsoft.com/kb/276304

    Or just force authentication against the MIT Kerberos domain.....

    Your password must be at least 18770 characters and cannot repeat any of your previous 30689 passwords. Please type a different password. Type a password that meets these requirements in both text boxes. Layne