Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ophcrack Says Your Password Is Insecure

Posted by CmdrTaco on from the something-to-play-with dept.

javipas writes "An insightful article at Jeff Atwood's Coding Horror reveals the power inside Ophcrack, an Open Source program that is capable of discovering virtually any password in Windows operating systems. The article explains how passwords get stored on Windows using hash functions, and how Ophcrack can generate immense tables of words and letter combinations that are compared to the password we want to obtain. The program is available in Windows, Mac OS and Linux, but be careful: the generated tables that Ophcrack uses are really big, and you should allow up to 15 Gbytes to store these tables."

12 of 249 comments (clear)

  1. This is news? by Lord_Frederick · · Score: 3, Insightful

    How long have rainbow tables been around? And hasn't just about everyone stopped storing LM hashes?

  2. Windows is insecure by design by Anonymous Coward · · Score: 4, Insightful


    if i have physical access to the machine and have a bootable CD i have no need to crack any passwords
    i can just reset the password and carry on, i have a customer whos 9yo girl showed me how she "cracks" her brothers password by booting in safe mode and simply removing his password
    luckliy in some ways iam glad windows is insecure, i can only imagine the hell a user (and MS) would go through when you tell them that their entire photo/music collection is toast because they forgot their 21 random character hard to remember password

    dont blame the user blame the whole crappy password concept

    1. Re:Windows is insecure by design by Opportunist · · Score: 2, Insightful

      I think the usefulness is rather in the legitimate owner of the machine not knowing that you know his password. When his password is blown, he usually knows something's fishy.

      Not to mention the fact that most people use only one or two password for pretty much every application, from their computers to online services.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. special chars by Anonymous Coward · · Score: 2, Insightful

    And that's exactly the reason why I prefer using passwords like: k|$$mY/\rs3

  4. Re:So... by jayhawk88 · · Score: 5, Insightful

    The point is that it can get the password in under 5 minutes. You could bring along something like L0pht, and then wait 2 weeks while it brute forces it.

  5. Re:Test ophcrack live. by gad_zuki! · · Score: 3, Insightful

    First off, it certainly does not crack 99% of passwords. A reasonable password policy means it wont crack anything. Its a 700 meg CD. Its very limited. I've seen it fail on some pretty basic stuff. Esentially toss in a !@#$%^&*()_-{};',.? and its screwed.

    >And it is horrifying how few windows sysadmins who know about this...

    Well, they should be asking "Why are my PCs set up to let the end user boot a CD?" Or "Why do malicious users have physical access to our machines." With physical access youre pretty much sunk. Someone could moutn ntfs, write to the registry where its stores your admin password, and set it to null. I dont care what OS you use, physical access usually means trouble. Heck, if my portable tools cant crack it, I'll just take the hard drive home and work on it at my leisure.

  6. Re:secure password? by woodhouse · · Score: 2, Insightful

    >If I remember correctly...

    Is this another way of saying "I'm about to spew forth a load of FUD".

    I guess if it's anti-microsoft FUD, it'll get modded up, right.

  7. Re:secure password? by Penguinisto · · Score: 2, Insightful
    Re: NT:

    That may have easily been true for NT 4.0, but (IIRC) Win2k and later stretches 'em out a lot more than 8 chars, esp. with AD password policies turned on. (No, not defending 'doze per se, but it simply doesn't parse IMHO).

    But then, NT 4.0 once let you have perfect access to its SAM registry keys by simply letting at.exe open regedt32 for you.

    (PS: If it helps, I do agree w/ you perfectly that that's a pretty crappy password.)

    /P

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  8. Re:Test ophcrack live. by realdodgeman · · Score: 4, Insightful

    It does crack 99% of used passwords, not 99% of theoretical passwords.

  9. It's not as simplistic as all that. by Medievalist · · Score: 2, Insightful

    From the linked blog: "How fast? It can crack the password "Fgpyyih804423" in 160 seconds. Most people would consider that password fairly secure." Sorry Jeff, but thats a shit password. If I remember correctly NT drop anything after the first 8 characters so the password is actually "Fgpyyih8" You have one uppercase letter in there and one number. That's terrible. Where are your characters like !@#$%^&*()-_+ or extended ascii stuff? Why are you starting with a capitalized letter? Leaving aside your incorrect remembrance of the NT LM hash algorithm, what makes you think that having funny characters, more than one uppercase, and more than one number increases your security?

    Is 53cr3TPa55W@rD a better password than Fgpyyih804423? Why?

    It's not a trick question. Can you demonstrate that real security is improved by having a secret string conform to a non-secret policy? Are you sure you haven't got any unexamined assumptions in your reasoning?

    You also should think twice about allowing commonly used metacharacters in passwords - dollar signs and asterisks carry some risks, for example, that should be probably be quantified within your computing environment.
  10. Re:This is why two factor authentication is necess by Opportunist · · Score: 2, Insightful

    Give it a year and someone will come up with a clever plan to decypher it again. Don't ask me how, our cypherguys are elsewhere (and I refuse to talk to them, they're creepy!). Some statistical imbalance for this or that if this or that structure is in your sentence, or a flaw in the algorithm because you now have a larger sample to work with than with traditional passwords of 5-10 characters length...

    It's always been a race. Don't think one side can win forever.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  11. Re:There's no way they're getting my password! by vux984 · · Score: 4, Insightful

    IMO There is absolutely no point in having a login password for stand-alone machines as it is TRIVIAL to bypass with something as easy as a boot CD/floppy that just resets the passwords, as long as you have physical access to the box, (or just yank out the hard drive and remount somewhere else).

    IMO There is absolutely no point in having a lock on a bathroom door, as it is TRIVIAL to bypass with something as simple as a small screwdriver.

    Oh wait, yet, despite that, it is remarkably effective at keeping people out while your in there.

    Many locks and passwords are more symbolic than anything else. Most people respect the implied privacy requested by a lock or password. Even if they know they could circumvent it trivially, they don't do it.