Ophcrack Says Your Password Is Insecure 249
javipas writes "An insightful article at Jeff Atwood's Coding Horror reveals the power inside Ophcrack, an Open Source program that is capable of discovering virtually any password in Windows operating systems. The article explains how passwords get stored on Windows using hash functions, and how Ophcrack can generate immense tables of words and letter combinations that are compared to the password we want to obtain. The program is available in Windows, Mac OS and Linux, but be careful: the generated tables that Ophcrack uses are really big, and you should allow up to 15 Gbytes to store these tables."
This is news? (Score:3, Insightful)
Windows is insecure by design (Score:4, Insightful)
if i have physical access to the machine and have a bootable CD i have no need to crack any passwords
i can just reset the password and carry on, i have a customer whos 9yo girl showed me how she "cracks" her brothers password by booting in safe mode and simply removing his password
luckliy in some ways iam glad windows is insecure, i can only imagine the hell a user (and MS) would go through when you tell them that their entire photo/music collection is toast because they forgot their 21 random character hard to remember password
dont blame the user blame the whole crappy password concept
special chars (Score:2, Insightful)
Careful? (Score:2, Insightful)
Since when 15 gigs were considered "really big"?
Aren't people at conferences handing out USB sticks as schwag with 493424 gigs these days in exchange for your business card?
Re:There's no way they're getting my password! (Score:1, Insightful)
Re:So... (Score:5, Insightful)
Re:Test ophcrack live. (Score:4, Insightful)
>And it is horrifying how few windows sysadmins who know about this...
Well, they should be asking "Why are my PCs set up to let the end user boot a CD?" Or "Why do malicious users have physical access to our machines." With physical access youre pretty much sunk. Someone could moutn ntfs, write to the registry where its stores your admin password, and set it to null. I dont care what OS you use, physical access usually means trouble. Heck, if my portable tools cant crack it, I'll just take the hard drive home and work on it at my leisure.
Re:secure password? (Score:3, Insightful)
Is this another way of saying "I'm about to spew forth a load of FUD".
I guess if it's anti-microsoft FUD, it'll get modded up, right.
Re:secure password? (Score:3, Insightful)
That may have easily been true for NT 4.0, but (IIRC) Win2k and later stretches 'em out a lot more than 8 chars, esp. with AD password policies turned on. (No, not defending 'doze per se, but it simply doesn't parse IMHO).
But then, NT 4.0 once let you have perfect access to its SAM registry keys by simply letting at.exe open regedt32 for you.
(PS: If it helps, I do agree w/ you perfectly that that's a pretty crappy password.)
Re:Test ophcrack live. (Score:5, Insightful)
Special characters are BAD for password security (Score:1, Insightful)
Most good brute force attacks will focus on chaining words together and permutating all the 1337speak versions of the passwords. An example is John The Ripper which is rule-based and will therefore crack based on the probability that two characters will be next to each other... and a whole stack of interesting and complicated rules. It can work around deliberate spelling errors and random characters inserted in the middle as well.
Seeing as most IT admins pick dictionary passphrases and convert them to 1337speak, the approach I mentioned above can be VERY fast & effective.
The other problem is that out of the character set (a-z,A-Z,0-9,punctuation) you are using far more punctuation symbols and numbers than what would be expected in a purely random password. Using this knowledge, you can dramatically decrease the brute force cracking time.
I'm surprised people still use passwords. People need to get off their asses and setup public key cryptography for all their authentication.
Or at the very least, turn off LanManager hashes from being stored in the SAM database on the Windows machine (and also disable all protocols which aren't NTLMv2).
It's not as simplistic as all that. (Score:3, Insightful)
Is 53cr3TPa55W@rD a better password than Fgpyyih804423? Why?
It's not a trick question. Can you demonstrate that real security is improved by having a secret string conform to a non-secret policy? Are you sure you haven't got any unexamined assumptions in your reasoning?
You also should think twice about allowing commonly used metacharacters in passwords - dollar signs and asterisks carry some risks, for example, that should be probably be quantified within your computing environment.
Re:Couple things (Score:2, Insightful)
Re:Windows is insecure by design (Score:3, Insightful)
Not to mention the fact that most people use only one or two password for pretty much every application, from their computers to online services.
Re:This is why two factor authentication is necess (Score:3, Insightful)
It's always been a race. Don't think one side can win forever.
Re:There's no way they're getting my password! (Score:5, Insightful)
IMO There is absolutely no point in having a lock on a bathroom door, as it is TRIVIAL to bypass with something as simple as a small screwdriver.
Oh wait, yet, despite that, it is remarkably effective at keeping people out while your in there.
Many locks and passwords are more symbolic than anything else. Most people respect the implied privacy requested by a lock or password. Even if they know they could circumvent it trivially, they don't do it.