Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ophcrack Says Your Password Is Insecure

Posted by CmdrTaco on from the something-to-play-with dept.

javipas writes "An insightful article at Jeff Atwood's Coding Horror reveals the power inside Ophcrack, an Open Source program that is capable of discovering virtually any password in Windows operating systems. The article explains how passwords get stored on Windows using hash functions, and how Ophcrack can generate immense tables of words and letter combinations that are compared to the password we want to obtain. The program is available in Windows, Mac OS and Linux, but be careful: the generated tables that Ophcrack uses are really big, and you should allow up to 15 Gbytes to store these tables."

7 of 249 comments (clear)

  1. Re:This is news? by CJ145 · · Score: 2, Interesting

    People that know should have, however the majority of Windows users have no clue what a LM hash is. I use the ophcrack livecd almost daily to find lost passwords. Not once on a customer computer have I found LM disabled (Windows XP systems). I have not seen any vista PC's yet so I do not know what the default is on vista.

  2. Things to note by nsanders · · Score: 2, Interesting

    The title is a bit of a stretch. Some simple techniques can help protect your self from these attacks. Using special characters will greatly increase the strength of your password, since the rainbow set for ALL characters is 64GB in size. Also, a LONG password, even of simple word can increase the complexity due to its length. Something as simple as my!dear!aunt!sally would be far stronger than 1pass!

    Some additional info on this topic can be seen here: http://druid.caughq.org/papers/Mnemonic-Password-Formulas.pdf

  3. Re:There's no way they're getting my password! by ceeam · · Score: 5, Interesting

    You laugh but Windows indeed blocks some operations when no password is assigned. So - no password sometimes may be better than crackable password.

  4. Re:This is news? by CastrTroy · · Score: 3, Interesting

    I remember once I tried a Linux bootable floppy that was supposed to be able to reset windows passwords, from what I recall, by just changing the value of the hash. Anyway, the drive was NTFS, and something got screwed up, and the file was unreadable. What I ended up doing was copying the same file from a computer with a similar set up (both were college issued laptops), and use the other person's username as password to log in. Anybody with enough access to the machine can get past a simple password. And unless you keep all your important data on an encrypted partition, and use encrypted swap (can you do this in windows??), then you really don't have much protection, and shouldn't assume that the data on your computer is locked down.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  5. Re:This is why two factor authentication is necess by RingDev · · Score: 4, Interesting

    Or simply require your users to have passwords at least 15 characters long. There was an article out of MS a year or so ago about how the "password" is dead and that "pass phrases" will take over. Not a very well written article, but it did go over the weaknesses of short passwords, hashes, and rainbow files. They are essentially the same thing, only pass phrases are longer... much longer. Instead of having to remember "HYjK))w!x%" (which, if LM Hashed, can be cracked by a rainbow file in short order) you can remember "This is the passworrd for my new computerr". No one is going to carry a 5 terrabyte rainbow file around to try to crack a password that long. And brute force would take years. Given a few spelling mistakes and a dictionary attack will fail.

    -Rick

    --
    "Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
  6. There's no need to crack the password by hernano · · Score: 4, Interesting

    Hi, There's no need to crack the LM&NT hashes of a password, you can use the hash directly on windows using this tool: http://oss.coresecurity.com/projects/pshtoolkit.htm basically you can impersonate on your own windows machine any user if you have the hash, and then use your Windows machine to authenticate to services using that user's credentials. There's no need to know the cleartext password, unless you explicitly want to know the cleartext password to test it on other services that do not use NTLM authentication.

  7. Re:Windows is SECURE by design. by xappax · · Score: 2, Interesting

    The keyboard is wirelessly connected to it [...] how do you plan on hacking it?

    Point a high-gain antenna at your window and wait for you to transmit all your precious passwords from your wireless keyboard to your ultra-secured box. Likely, your keyboard will transmit your every keystroke in "plaintext", however some wireless keyboards use encryption. It's a very weak key and can be bruted offline with minimal effort.

    Sleep tight :)