Slashdot Mirror
Ophcrack Says Your Password Is Insecure
javipas writes "An insightful article at Jeff Atwood's Coding Horror reveals the power inside Ophcrack, an Open Source program that is capable of discovering virtually any password in Windows operating systems. The article explains how passwords get stored on Windows using hash functions, and how Ophcrack can generate immense tables of words and letter combinations that are compared to the password we want to obtain. The program is available in Windows, Mac OS and Linux, but be careful: the generated tables that Ophcrack uses are really big, and you should allow up to 15 Gbytes to store these tables."
Ha, I've got these fools beat! I don't even USE a password on my Windows box. I'd like to see you try and crack MY password!
How long have rainbow tables been around? And hasn't just about everyone stopped storing LM hashes?
So basically, if I want to find out the passwords on someone else's computer, I have to bring along a high capacity DVD's-worth of data as well? I might as well just pretend I'm their tech support and ask for the password.
Back in the day, getting Windows passwords was as easy as opening a program from a floppy. That's how I got an A in Spanish class when the teacher challenged us to guess what his screensaver password was (the prize was an A for the year - dumb teacher).
if i have physical access to the machine and have a bootable CD i have no need to crack any passwords
i can just reset the password and carry on, i have a customer whos 9yo girl showed me how she "cracks" her brothers password by booting in safe mode and simply removing his password
luckliy in some ways iam glad windows is insecure, i can only imagine the hell a user (and MS) would go through when you tell them that their entire photo/music collection is toast because they forgot their 21 random character hard to remember password
dont blame the user blame the whole crappy password concept
"Passwords should never be saved as plaintext"
/etc/passwd, bitch!
Tell that to
Second, if you've computed all possible hash values for all possible character combinations, then it really doesn't matter what your password is, since you only have to have the input hash to the correct hash value. Since an infinite number of character strings map to a finite number of hash values, it is only a matter of building the tables before you can hack any system.
Third, if your only defense against this type of attack is a single password, you're screwed.
Fourth, if you are worried about this sort of attack and you still live with your parents, it's probably not really too critical that you implement heavy-duty, multiple-hardened points on your Gentoo system right now. You'll have plenty of time to implement that sort of security after you finish your current bag of Cheetos.
Ophcrack live (CD) does not crack all windows passwords, only about 99%. Still it uses only 20 minutes and can crack passwords up to 14 characters, while running from a bootable CD. And it is horrifying how few windows sysadmins who know about this...
(blank)
password
password1 That formula will crack 90% of Windows passwords out there. The remaining 10% are what the other 14.999999 GB in the table are for.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Windows has a security feature it uses when a user attempts to create a 15Gb table called "crashing". This makes it extremely difficult to break in using the tool defined.....
This is a prime example of the need for a multi layered security model for authentication and authorization of your systems. There are many vendors that supply two factor authentication methods (RSA being the most well known) that provide for one time passwords. Techniques like this effectively mitigate the risk of a user account compromised by use of a hash table like this. BTW, this is nothing new. Rainbow tables have been out for ages. --Colin
Colin McNamara - CCIE #18233 "The difficult we do immediately, the impossible just takes a little longer"
First of all, ophcrack only comes with alpha-numeric tables for LM hashes. If you have special characters in your password, you'll have to generate your own table, which takes a very long time, and a lot of hard drive space. Ophcrack does not have the ability to generate Rainbow tables as the article suggest... Second of all, Ophcrack only works well against LM hashes, because with LM hashes, passwords are split into 7 byte halves, then hashed. So you only have to have tables that go up to 7 characters with LM hashes. If you disable LM hashes on your Windows box, and use NTLM hashes, the entire password is hashed, and is not split up. So if you pick a good password, with special characters, that's fairly long, it will be pretty much impossible to crack if your using NTLM only. Even with rainbow tables... The problem is Windows XP (by default) stores passwords as LM and NTLM hashes. So if an attacker can get the LM hashes, they can crack your password easily. You can hack the registry and keep Windows from storing LM hashes. See http://support.microsoft.com/kb/299656
Or simply require your users to have passwords at least 15 characters long. There was an article out of MS a year or so ago about how the "password" is dead and that "pass phrases" will take over. Not a very well written article, but it did go over the weaknesses of short passwords, hashes, and rainbow files. They are essentially the same thing, only pass phrases are longer... much longer. Instead of having to remember "HYjK))w!x%" (which, if LM Hashed, can be cracked by a rainbow file in short order) you can remember "This is the passworrd for my new computerr". No one is going to carry a 5 terrabyte rainbow file around to try to crack a password that long. And brute force would take years. Given a few spelling mistakes and a dictionary attack will fail.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
Hi, There's no need to crack the LM&NT hashes of a password, you can use the hash directly on windows using this tool: http://oss.coresecurity.com/projects/pshtoolkit.htm basically you can impersonate on your own windows machine any user if you have the hash, and then use your Windows machine to authenticate to services using that user's credentials. There's no need to know the cleartext password, unless you explicitly want to know the cleartext password to test it on other services that do not use NTLM authentication.
LM hashes split passwords in 8-letter chunks, and for each of them:
1) the last symbol is removed, so the chunk becomes a 7-character password
2) the password is uppercased (yeah, that's dumb)
and then hashes are calculated for these chunks.
BOTH the LM and NTLM (a much more secure hash) hashes are stored in the registry.
So to get a typical 8-character password, you only need to guess the first 7 characters in uppercase.
After that the more secure NTLM hash is used to guess the case of each character and the eighth character which is missing from LM.
This means that guessing a 16-character password takes at most twice the time than for a 8-char, and not something like 40^8 times as much.
More info here: http://en.wikipedia.org/wiki/LM_hash
Also, If it's windows 98, I can blue screen the thing with a con/con from the command line and hopefully you have the thing set to reboot on BSOD.
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
Or just force authentication against the MIT Kerberos domain..... Your password must be at least 18770 characters and cannot repeat any of your previous 30689 passwords. Please type a different password. Type a password that meets these requirements in both text boxes. Layne