Slashdot Mirror
Ophcrack Says Your Password Is Insecure
javipas writes "An insightful article at Jeff Atwood's Coding Horror reveals the power inside Ophcrack, an Open Source program that is capable of discovering virtually any password in Windows operating systems. The article explains how passwords get stored on Windows using hash functions, and how Ophcrack can generate immense tables of words and letter combinations that are compared to the password we want to obtain. The program is available in Windows, Mac OS and Linux, but be careful: the generated tables that Ophcrack uses are really big, and you should allow up to 15 Gbytes to store these tables."
How long have rainbow tables been around? And hasn't just about everyone stopped storing LM hashes?
if i have physical access to the machine and have a bootable CD i have no need to crack any passwords
i can just reset the password and carry on, i have a customer whos 9yo girl showed me how she "cracks" her brothers password by booting in safe mode and simply removing his password
luckliy in some ways iam glad windows is insecure, i can only imagine the hell a user (and MS) would go through when you tell them that their entire photo/music collection is toast because they forgot their 21 random character hard to remember password
dont blame the user blame the whole crappy password concept
And that's exactly the reason why I prefer using passwords like: k|$$mY/\rs3
"but be careful: the generated tables that Ophcrack uses are really big, and you should need up to 15 Gbytes to store these tables."
Since when 15 gigs were considered "really big"?
Aren't people at conferences handing out USB sticks as schwag with 493424 gigs these days in exchange for your business card?
I know it's a joke, but in Windows you cannot remotely connect to a passwordless account, so in that sense it actually is more secure.
The point is that it can get the password in under 5 minutes. You could bring along something like L0pht, and then wait 2 weeks while it brute forces it.
First off, it certainly does not crack 99% of passwords. A reasonable password policy means it wont crack anything. Its a 700 meg CD. Its very limited. I've seen it fail on some pretty basic stuff. Esentially toss in a !@#$%^&*()_-{};',.? and its screwed.
>And it is horrifying how few windows sysadmins who know about this...
Well, they should be asking "Why are my PCs set up to let the end user boot a CD?" Or "Why do malicious users have physical access to our machines." With physical access youre pretty much sunk. Someone could moutn ntfs, write to the registry where its stores your admin password, and set it to null. I dont care what OS you use, physical access usually means trouble. Heck, if my portable tools cant crack it, I'll just take the hard drive home and work on it at my leisure.
>If I remember correctly...
Is this another way of saying "I'm about to spew forth a load of FUD".
I guess if it's anti-microsoft FUD, it'll get modded up, right.
That may have easily been true for NT 4.0, but (IIRC) Win2k and later stretches 'em out a lot more than 8 chars, esp. with AD password policies turned on. (No, not defending 'doze per se, but it simply doesn't parse IMHO).
But then, NT 4.0 once let you have perfect access to its SAM registry keys by simply letting at.exe open regedt32 for you.
(PS: If it helps, I do agree w/ you perfectly that that's a pretty crappy password.)
Quo usque tandem abutere, Nimbus, patientia nostra?
It does crack 99% of used passwords, not 99% of theoretical passwords.
That is actually still a very bad idea from a brute force attack perspective.
Most good brute force attacks will focus on chaining words together and permutating all the 1337speak versions of the passwords. An example is John The Ripper which is rule-based and will therefore crack based on the probability that two characters will be next to each other... and a whole stack of interesting and complicated rules. It can work around deliberate spelling errors and random characters inserted in the middle as well.
Seeing as most IT admins pick dictionary passphrases and convert them to 1337speak, the approach I mentioned above can be VERY fast & effective.
The other problem is that out of the character set (a-z,A-Z,0-9,punctuation) you are using far more punctuation symbols and numbers than what would be expected in a purely random password. Using this knowledge, you can dramatically decrease the brute force cracking time.
I'm surprised people still use passwords. People need to get off their asses and setup public key cryptography for all their authentication.
Or at the very least, turn off LanManager hashes from being stored in the SAM database on the Windows machine (and also disable all protocols which aren't NTLMv2).
Is 53cr3TPa55W@rD a better password than Fgpyyih804423? Why?
It's not a trick question. Can you demonstrate that real security is improved by having a secret string conform to a non-secret policy? Are you sure you haven't got any unexamined assumptions in your reasoning?
You also should think twice about allowing commonly used metacharacters in passwords - dollar signs and asterisks carry some risks, for example, that should be probably be quantified within your computing environment.
None that I was aware of, but I don't think that was GP's point. He was quoting the "Passwords are never stored in plaintext. At least they shouldn't be, unless you're building the world's most insecure system using the world's most naïve programmers." from the article. Which was at one time true for Windows (? or were they referring solely to apps?) but was also at one time true for Linux.
Give it a year and someone will come up with a clever plan to decypher it again. Don't ask me how, our cypherguys are elsewhere (and I refuse to talk to them, they're creepy!). Some statistical imbalance for this or that if this or that structure is in your sentence, or a flaw in the algorithm because you now have a larger sample to work with than with traditional passwords of 5-10 characters length...
It's always been a race. Don't think one side can win forever.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
IMO There is absolutely no point in having a login password for stand-alone machines as it is TRIVIAL to bypass with something as easy as a boot CD/floppy that just resets the passwords, as long as you have physical access to the box, (or just yank out the hard drive and remount somewhere else).
IMO There is absolutely no point in having a lock on a bathroom door, as it is TRIVIAL to bypass with something as simple as a small screwdriver.
Oh wait, yet, despite that, it is remarkably effective at keeping people out while your in there.
Many locks and passwords are more symbolic than anything else. Most people respect the implied privacy requested by a lock or password. Even if they know they could circumvent it trivially, they don't do it.