Ophcrack Says Your Password Is Insecure

← Back to Stories (view on slashdot.org)

Ophcrack Says Your Password Is Insecure

Posted by CmdrTaco on Monday September 10, 2007 @03:42AM from the something-to-play-with dept.

javipas writes "An insightful article at Jeff Atwood's Coding Horror reveals the power inside Ophcrack, an Open Source program that is capable of discovering virtually any password in Windows operating systems. The article explains how passwords get stored on Windows using hash functions, and how Ophcrack can generate immense tables of words and letter combinations that are compared to the password we want to obtain. The program is available in Windows, Mac OS and Linux, but be careful: the generated tables that Ophcrack uses are really big, and you should allow up to 15 Gbytes to store these tables."

2 of 249 comments (clear)

Min score:

Reason:

Sort:

Re:There's no way they're getting my password! by pegr · 2007-09-10 04:08 · Score: 5, Informative

Got it.

norad:~# echo "" | md5sum
68b329da9893e34099c7d8ad5cb9c940 -

Actually, it's:
Password:
LM Hash: AAD3B435B51404EEAAD3B435B51404EE
NT Hash: 31D6CFE0D16AE931B73C59D7E0C089C0

Windows password hashes are not MD5...

Brought to you by the "genhash" utility of the PassTheHash toolkit for Windows. (Google it, it's awesome.)
Windows passwords Secure? by nick13245 · 2007-09-10 04:10 · Score: 5, Informative

First of all, ophcrack only comes with alpha-numeric tables for LM hashes. If you have special characters in your password, you'll have to generate your own table, which takes a very long time, and a lot of hard drive space. Ophcrack does not have the ability to generate Rainbow tables as the article suggest... Second of all, Ophcrack only works well against LM hashes, because with LM hashes, passwords are split into 7 byte halves, then hashed. So you only have to have tables that go up to 7 characters with LM hashes. If you disable LM hashes on your Windows box, and use NTLM hashes, the entire password is hashed, and is not split up. So if you pick a good password, with special characters, that's fairly long, it will be pretty much impossible to crack if your using NTLM only. Even with rainbow tables... The problem is Windows XP (by default) stores passwords as LM and NTLM hashes. So if an attacker can get the LM hashes, they can crack your password easily. You can hack the registry and keep Windows from storing LM hashes. See http://support.microsoft.com/kb/299656