Swiss Researchers Exploit Windows Password Flaw

Bueller_007 writes "CNET is carrying an article about a new (albeit simplistic) method used to hack alphanumeric Windows passwords in a matter of seconds, rather than minutes. To blame is a 'weakness in Microsoft's method of encoding passwords.' According to the authors, the same method, when used on Mac OS X, Unix and Linux boxes, however, could require either 4,096 times more memory or 4,096 times longer." A few more details: Mister.de writes "As an example we have implemented an attack on MS-Windows password hashes. Using 1.4GB of data (two CD-ROMs) we can crack 99.9% of all alphanumerical passwords hashes (2 37 ) in 13.6 seconds whereas it takes 101 seconds with the current approach using distinguished points. We show that the gain could be even much higher depending on the parameters used. This was found at the Cryptography and Security Laboratory of the Swiss Federal Institute of Technology in Lausanne (EPFL)."

This is why...

[mgcsinc]

This is why I use Biopassword [slashdot.org] Perhaps their encryption method is just as insecure as microsoft's, but at least there aren't quite so many Swiss researchers trying to crack it...

Re:This is why...

[kasperd]

This is why I use Biopassword Perhaps their encryption method is just as insecure as microsoft's

I have seen BIOSes that did not encrypt the password at all.

Re:This is why...

[kasperd]

Not to mention all you need to do to reset any BIOS password is change a jumper.

True, but that is not really the problem. There are two different issues.

1. Can an intruder get access to the system?
2. Can an intruder get the password?

Obviously an intruder that can get the password can also get access to the system, but it doesn't have to be the other way around. Why is that even interesting? Well, if the same password is used in a different place, it will be interesting to protect the password even if the

Re:This is why...

[Charleton Heston]

I use plaintext. Granted, some people are working on cracking plaintext, but they are almost always in a 1st grade reading class and I ain't scared of them.

Re:This is why...

[sharkey]

404 File Not Found

Come on, everybody knows that one.

Re:This is why...

[Robmonster]

Security through Obscurity is the reason that many people think that Linux distros are inherently more secure than MS.

Re:This is why...

[rzbx]

Another reaon that Gazbo forgot to mention is that there are many different Linux installations. Many factors make it harder for someone to gain access to a majority of servers running Linux. An exploit may target one version of one specific server application that is implemented in one certain way on one specific kernel. Did you catch all the factors? Kernel version (another bonus: kernel compiled with different options), distro (or custom), implementation of the OS can be different, different applications, different versions of applications, various software surrounding all these other applications (such as security apps), and many more. Using proprietary software your very limited. If an exploit is found for Windows 2000 SE (or some other version) then there will a large number of servers that have this specific version with no modifications. There isn't much you can modify on a proprietary OS or software. Yes, many factors still exist on proprietary installations as well, but much much fewer.

Re:This is why...

[enomar]

I read the parent post as, "Because MS uses security through obscurity, many people think that Linux distros are inherently more secure than MS." I think he meant that security through obscurity doesn't work very well.

Building a lock that cannot be picked by a blind man is a lot easier (and less effective in the real world) than building a lock that cannot be picked by someone with the blueprints.

Re:This is why...

[Shippy]

I read the parent post as, "Because MS uses security through obscurity, many people think that Linux distros are inherently more secure than MS." I think he meant that security through obscurity doesn't work very well.

Security through obscurity works just fine as long as that's not your only defense. Security practices should always be done in-depth, with multiple tools to protect you. Let's say I have my gold in a safe in my house. Rather than just put my safe in the garage (where it's not obscured at a

Re:This is why...

[schon]

Because people consider Linux to be too obscure to be worth spending their time attacking, it rarely succumbs to such attacks.

This is just plain false. If it were true, then there would be MUCH more attacks against Apache than IIS - but the reverse is true.

Also, even if this assertion were true, can you provide references for it (as I asked in my previous post)? Let's see some posts from Linux users who think that they're immune from hack attempts because they run Linux and not windows.

And before you start yammering about Many eyes/shallow bugs or whatever, I shall use my new favorite example: the sobig worm.

First, a worm is not a hack attempt - it's malware (along with viruses.)

Second, malware such as this has little to do with obscurity - it has to do with a mindset that ignores basic security practices (namely segregation of resources.)

Re:This is why...

[kiolbasa]

And I think you missed the point that schon was making -- that sobig is offtopic in the context of the immediate discussion, which is technical security breaches, not social security breaches. I don't see how a social problem of a user running malware has anything to do with security through obscurity or open source bugs being shallow, which is where you originally mentioned sobig.

Re:This is why...

[nolife]

I see your points to some extent but consider Apache was been by far the most popular [netcraft.com] web server for at least the last 8 years running on various platforms. Security is in design and not proportional to popularity. Hack ATTEMPTS maybe be higher with popularity but those attempts are useless until you find the hole.

Re:This is why...

[prisoner-of-enigma]

Don't you think that the overall animosity towards Microsoft by the techie community has at least something to do with this? For that matter, perhaps one reason why there are fewer attacks on Apache servers is the reverse of the anti-MS feelings. I'm not stating it as fact, just musing. My Apache logs show tons of IIS-type attacks but very few Apache attacks. There are a ton of known vulnerabilities for older versions of Apache, yet for some reason nobody uses them much.

My thoughts? Apache doesn't pro

Re:This is why...

[GodsMadClown]

Havn't you heard? Win XP has raw sockets enabled. That's what's got Steve Gibson of GRC.com fame all hot and bothered. Take a look at http://grc.com/dos/intro.htm for a little healthy paranoia.

Re:This is why...

[Jeremiah Cornelius]

More than 40% of MS's server customers are still running NT 3.5x and 4.0 - Mostly the latter!

This is still a big deal. NT4 with LanMan auth is big, so is W2K in compatibility mode for 16-bit clients.

MS always ships the old stuff - usually running by default - along with the new.

The NT 4 customers who won't or can't move their apps are a problem. MS licenses are long ago paid. The shops are mostly self-supporting. It's revenue that MS can't get to. This is why they bought VirtualPC. They want to migra

Performance increase

[levik]

THis sort of performance increase is only useful for Mission Impossible type movie spies... I mean come on - who can't wait 100 seconds???

People are really running out of interesting stuff to "research", aren't they...

Re:Performance increase

[Robmonster]

If they ever invent a toilet door with password protection I'm sure those 100 seconds will come in VERY handy in an emergency.

Re:Performance increase

[Rogerborg]

Solution:

1. Wipe the pad clean.
2. Wait a few hours.
3. Blow chalk on it and brush gently.
4. Note which 3 digits have chalk stuck to them.
5. Try the six possible combinations.
6. Bingo! You're an executive.

YMMV, depending on whether you have execs of the sweaty oily finger variety, or the scaly lizard species.

Re:Performance increase

[Tackhead]

> Solution:
> 1.Wipe the pad clean.
> 2.Wait a few hours.
> 3.Blow chalk on it and brush gently.
> 4.Note which 3 digits have chalk stuck to them.
> 5.Try the six possible combinations.
> 6.Bingo! You're an executive.

Tried it. No chalk remaining on any of the four pads.

> YMMV, depending on whether you have execs of the sweaty oily finger variety, or the scaly lizard species.

Incidentally, what's the polite way of telling your boss he's got chalk on his nose, especially on a day when he seems to be real pissed off about something, but he won't say what's buggin' him? He's got a press conference in 20 minutes, and I don't know how to bring this up.

"Mr. Valenti, you have chalk on your nose" seems too direct, don't you think?

Re:You forgot...

[Flower]

You forgot.

Step 1.5.1 Stuff dounuts with laxatives before distributing them.

Of course afterwards you're probably going to want to use a different bathroom afterwards...

Re:Performance increase

[cioxx]

Seems insecure compared to my job circa 1998. It was a traditional brick and mortar company sandwiched in between 2 dotcom startups on top and bottom floors. The management thought it would be an excellent idea to implement Orwellian concepts throught the damn place with magnetic cards which included access to restrooms and pretty much every room throughout the building. Few months later it turned out these fucks from HR were tracking employees who would take excessive breaks by going through the usage log

Re:Performance increase

[Marx_Mrvelous]

You obviously aren't a computer scientist (or a computer hacker). What they got was a power of ten increase (roughly). This is a significant improvement because it is not simply incremental. Look at it this way:
Let's say it usually took 200 days to crack a password. A company could enforce a 90-day (3 month) requirement to change passwords, and a brute force technique would have roughly a 1-in-2 chance of getting a password in any given 90-day period. Now they increased it by a factor of 10.
Now it takes 20 days to crack a password. If the company want to keep the same level of password security, users would have to change their passwords every 7 days!

This is a pretty big issue.

Re:Performance increase

[MisterFancypants]

Yeah but their power of 10 increase isn't globally applicable to many types of encryption breaking, it exists due to a flaw in Microsoft's specific implementation, so really the original poster is right, this isn't big news of any sort.

I can't imagine it would have made the front page at all if not for the usual "See how insecure Micro$oft is!" Slashdot biases.

Re:Performance increase

[mikeophile]

So since this exploit takes an average of 13.6 seconds, do users need to change thair passwords every 4 seconds?

Re:Performance increase

[Surak]

Yes. In fact, I'm adding that to the global password policies on my servers right now as I type this.

The users'll complain, but we'll be secure from this exploit!

Re:Performance increase

[M00TP01NT]

Yes, and soon we'll be at a point where the password will be changing so fast you can run a brute-force attack with a static keyword!

Re:Performance increase

[cybermace5]

A funny point, but does this scale linearly.... If you change your password more frequently than the expected average brute-force crack time, are you more vulnerable? I suppose it means that in a given time period the cracker could find any one of several passwords instead of just one.

Company Memo: New security procedures.

[barracg8]

All,

As you know we have a company security policy based around frequently changing passwords, in order to keep our Windows network secure.

Previously, as you are all no doubt aware, you were required to change your Windows passwords once every 90 seconds, since NT passwords can be cracked in 100 seconds flat.

Due to recent developments in MS password cracking, we will now be requiring all employees to change their passwords once every 10 seconds, to ensure they remain secure.

We hope this will not detract from productivity, and apologise for any inconvenience it does cause.

thanks,
Management

Re:Company Memo: New security procedures.

[superyooser]

In related news, the stock price of 3M Inc., maker of Post-It (R) notes, jumped 30 points today.

Re:Performance increase

[Rogerborg]

You can "let's say" all you want, but it's 100 seconds down to 13.6 seconds. How about explaining the real world significance of that? Seems to me to be like quibbling over how many times we can nuke the world into glass. After the first time, it's just about dick size.

Re:Relevancy scenario

[siskbc]

You get acess to a 1000 users netowrk password file. Recovering all paswords will take you 9 days instead of 70, giving you a large advantage over the network security reaction.

I'll buy that certainly for situations where you want to 0wnz0r every account, but usually you only need one priveleged one. From there, everything's candy.

Besides, before that you could only crack into your evil co-worker station when he was away for a cup of coffe. Now it is enough for him to be distracted by the hot boss assistant's legs...

The who....mmmmm...leggggs....ah shit, somebody h4X0r3d my box! ;) Seriously, as I understand it though, all you do at the local machine is get the hashes - which takes a fixed amount of time. The processing time is all on your own machine. And as I said, unless I want every account on the machine, I'll surf the net for the extra 90 seconds or whatever while that shit's a-crackin'.

I mean, I appreciate them saving me the extra 90 seconds and all,thanx guys, but I'm much more afraid that it takes anywhere as short as 2 minutes in the first place, ya know? I'd feel better with, say, months. To me, the most relevant thing about this is the nice web page the put up where they'll crack windows hashes for you. Very considerate, guys. ;)

Scary stuff...

[Anonymous Coward]

M$ passwords hacked within seconds...

Linux / Mac OSX passwords hacked within an hour too probably...

Maybe we need something just a little stronger!

Re:Scary stuff...

[PaizuriTatsujin]

What we need is no passwords at all and a midget sitting on everyone's desk guarding their computer.

When that happens I'll feel safe

Re:Scary stuff...

[b!arg]

Midget? No...Troll...and god knows we have enough of those around to take care of the demand. Maybe it'll solve our unemployment problem too.

Before you can logon you must answer three questions...

Re:Scary stuff...

[maunleon]

You have to guard on the network as well. So you could have a troll sitting on the router or switch.

Or bridge..

A Troll Bridge?

Ha!

No salt

[dpilot]

You've made a supposition that MS passwords are marginally weaker than Unix passwords. Read the article, and there's a more basic factor at work.

>"Windows passwords are not very good," he wrote. "The problem with Windows passwords is that they do not include any random information."

From what I understand, Unix passwords normally take a little 'salt', a little random information, as well as the user password, and hash that. Microsoft just hashed the user password without the salt. This makes it easier to crack., anything else aside.

To their credit, you have to be Admin to get to the password hashes, rather like /etc/shadow.
To their debit, most WinDesktops that I'm aware of end up as glorified single-user machines, and that user is also.... Admin. Finally build a decent security model, and then customers ignore it.

Re:No salt

[Anonymous Struct]

To their debit, most WinDesktops that I'm aware of end up as glorified single-user machines, and that user is also.... Admin. Finally build a decent security model, and then customers ignore it.

I think the customers only ignore it because they've been bred on Win9x, which sort of casually asked if you felt like typing in a password, but didn't really care one way or the other if you actually did. You can't train people that passwords don't matter for 7 years and then expect them to start caring about security when you finally decide to implement it. So now we have a sea of internet users who don't know or care one whit about security all because they've been taught from the very beginning that all they ever have to do is plug it in, turn it on, and start browsing.

Re:No salt

[Zathrus]

The salt can depend on the system used, but AFAIK, it's usually the first 2 characters of the password

Traditionally the salt is a 2 byte random value. It is stored as the first 2 bytes of the hashed password, but has nothing to do with the password or username at all.

Before shadow passwords were standard this was no real help at all, since all you had to do was read /etc/passwd and suck up the salt out of those first 2 bytes. Now you need to get access to the shadow password file, which is at least an im

Re:No salt

[Jucius Maximus]

"Many Unix systems are now moving to MD5 encrypted passwords though, which as I understand it are more secure (how? I dunno... I'm not that up to date on it)."

The String -> MD5 hash is an easy converison, it was designed to work nicely on 32 bit processors

The MD5 -> String reverse-hash is not an easy conversion. So even if you give out the md5sum of your password, getting the actual password from that hash value is not trivial.

That is why it is more secure. Now MD5 is not invulnerable. I have read some reports about more mathematical vulnerabilities in it. Some say that SHA-1 crypto hashing is the only way to do things now adays.

Re:No salt

[mentin]

The attack described in the article is dictionary attack, i.e. you take lots of [alphanumeric in the article] passwords, hash them, and compare your password hash with the huge database of hashes.

Switching to MD5 without salt would not stop this attack, since you don't have to do MD5 -> String convertion, just lots of String -> MD5 hash conversions, and these are very fast.

"setting up XP"

[MORTAR_COMBAT!]

Try this. Install XP and it asks for your desired user name. You enter your user name, how about "jkarlin". Boom. "jkarlin" is now an Administrator.

Well,

[TedTschopp]

I sure hope we aren't using Microsoft Technology for anything important like National Security? Cause that would suck!

Please Advise, I don't know how to think about this story, I'm a Swiss-American.

Ted

Yoddle-Aay-Hee-Hooo

[ambisinistral]

This post isn't by me, it is by some Swiss guy who hacked my /. password to make me look bad.

Re:Yoddle-Aay-Hee-Hooo

[alchemist68]

You are truly evil. You IMPLY that Slashdot is running on Borg Technology. Bad form ambisinistral, bad form. That would crush the hearts of all geeks alike. Hell, that would cause mass rioting.

To Redmond we go! Every one click:

http://www.microsoft.com/

C'mon geeks, nerds, and dweebs UNITE. We can Slashdot the Borg and overtake the monopolistic opression we are so tired of battling.

One problem

[felix9x]

LanMan is not used on win2000 and winXP machines.

NThash dont know, probably not.

This hack is obsolte

Re:One problem

[truthsearch]

LanMan is still supported on Win2000 and maybe WinXP for backwards campatability (I assume to network with older system like Win98).

Just because it's called NThas doesn't mean it died with NT. LanMan was used until early releases of NT. The Win2000 bootup screen says "Built with NT technology". Whatever that means it implies lots of shared code. Since NThas was introduced with NT its unlikely they just drop it, especially since it was an improvement and they didn't care to fix this one major weakness a

Nope

[Anonymous DWord]

"Originally, we were targeting NT to the Intel i860 (code-named 'N-Ten)', a RISC processor that was horribly behind schedule. Because we didn't have any i860 machines in-house to test on, we used an i860 simulator. That's why we called it NT, because it worked on the 'N-Ten.'"

-Mark Lucovsky
Distinguished Engineer
Windows Server Architect

Re:One problem

[drsmithy]

Yes, I know NT was always just a marketing title. As I said I only just recently found out what it was supposed to be an acronym for and it was released how many years ago?

You must be a recent arrival :). Back when NT was new, "everyone" knew it stood for "New Technology".

It's been a while since I've seen an NT4 machine boot, but I think it and earlier versions actually had "New Technology" on their boot screens.

BTW, can anyone tell me what the hell XP is supposed to stand for?

I think it's supposed t

Re:One problem

[Shell!U4$]

Actually,

The LANMAN hashes are still used in Win2k. They are enabled and kept in the ActiveDirectory by default.

If your a 100% Win2k or higher shop, you can disable the LANMAN hashes and use NTLM 2 hashes exclusively.

Microsoft is willing to tell you how, if you look here [microsoft.com], along with some details about the whole subject.

Hello, my name is Shakey Weaselteat and this is a song about a whale ...

Re:One problem

[Torne]

This crack breaks both LanMan and NTLM hashes. NTLMv2 is not affected.

NTLMv2 was introduced in Windows 2000 and is still not the default; Windows Server 2003 Enterprise defaults to 'Send NTLM only', which will stop LanMan attacks, but not prevent NTLM attacks. It will also not ALLOW NTLMv2 to be used, even if the client supports it. I.E. the only secure authentication system which is available is disabled by default.

Yes, all the MS security practise documents will tell you to set it to NTLMv2 only (which requires upgrading all clients to Windows 2000 or above).. but it's still not the *default*. Enabling NTLMv2 does not break backward compatibility (only disabling v1 does), so I'm not sure how they justify this decision =)

Torne

Of course the Swiss were able to hack it...

[JDRipper]

They've got those great knives after all.

I don't understand

[Trelane, the Squire]

While an attacker would need administrator rights to a system to grab the file that contains the password hashes, the file is still valuable, said David Dittrich, a senior security researcher at University of Washington.

if a hacker had administrator rights, wouldn't it already be game over? On the other hand, a 20 gb hack isn't extremely portable

Re:I don't understand

[Quietust]

if a hacker had administrator rights, wouldn't it already be game over? On the other hand, a 20 gb hack isn't extremely portable

Not quite - admin rights would only give access to whatever was on that particular machine (and stuff on the network), while the passwords of everyone who used that system would be considerably more valuable.

Re:I don't understand

[truthsearch]

The game's over with admin rights to every workstation. With this scenerio, once you're admin on one computer of the network, it's quick to get every other password on the network, such as domain admins. On Unix, Linux, and Mac OS X, if you're admin and have the hash entries you can't use them to crack into other computers on the same network because of the random bits added to each hash.

About hashes and salted passwords

[DVega]

Anyone who want to learn more about how UNIX Password security was designed should read this paper [ja.net] by Robert Morris and Ken Thompson that explains things like hashes (one way cryptographic functions) and salted passwords.

Re:I don't understand

[whorfin]

The beauty is, consider these email virii applications of this...
- Somebody reads an email with a simplified hack based on this embedded within it (don't need the whole dataset, you just reduce your hit rate)
- They unwittingly send back the machine info and an admim-level password to the hacker. (where I work, all 'owners' have admin rights on their system).
- From this, they can get admil-level access permanently, as well as a chance to download the full crack via a backdoor and get the network admin password, and from there, the whole network.

Administor rights not _technically_ needed ...

[jstockdale]

As with many file based cracks, it is at very least debatable over the need for Administrator access on the box itself. One method that I used to see in the L0phtCrack days was to boot the machine using a black box distribution on a floppy (compressed minimal *nix kernel with ntfs support) then grab the .sam file from the hard drive itself. From there, you can take your time cracking the Administrator password, and then with that access you can remotely dump the registry database on the server from any box

Re:I don't understand

[Xner]

You obviously didn't read the story or failed to picture this properly. It requires a huge chunck of memory. Furthermore, the data in it's dictionary has to come from some where. Very doubtful you'll be able to sneak several gig worth of data onto a machine, and load it into memory, for it to be used as a remote exploit.

Sorry to interrupt your tirade here ... there's no need to get the tables onto the target machine and run the cracker remotely, you just have to sneak the password hash back onto your loca

Is this really news worthy?

[mjmalone]

This is hardly a news. These weaknesses have all been known for years, and the use of dictionary attacks against passwords is very common.

Bruce Schneier talks about all of these attacks and weaknesses in his book "Applied Cryptography" which was published years ago.

Actually...

[tomzyk]

From what I got out of the article, it's NOT a "dictionary attack" - where common words are [brute-force] used to obtain access; rather, it's a brute-force attack where they compare the original password string to the encrypted string.

In this case, the "dictionary" consists of, not just a list of words, but a list of strings and their encrypted companions.

But you're still right: not really news worthy.

"This is not a new vulnerability," he said. "It is only the first time that it has been worked in so muc

Nothing new

[raffe]

"We [cryptonomicon.net] fear, however, that the titles of these articles are a little sensational. While it is true that the LANMAN and NTHash windows password techniques have issues, the paper that kicked off this whole hub-bub [PDF] describes a refinement of an existing attack, not a new attack. We wanted to remind our readers that adequate password security is a good idea, whether your windows systems are being attacked with an adversary with an old copy of L0phtCrack, or with Philippe Oechslin's new system."

Read it all here [cryptonomicon.net]

I hope someone hacks my passwords at work

[gorjusborg]

I hope someone hacks my passwords at work and deletes this stinking code I'm debugging.

Oh, and the backups too. Just point your password crackers to ...

Re:I hope someone hacks my passwords at work

[codexus]

Don't worry your boss has probably printed the whole thing already and you'll just have to retype it all including all the bugs.

Only works with NTMLv1, NTLM v2 not effected.

[figleaf]

This only works with NTML v1. Not with NTML v2.

In order to prevent this
Using secpol.mmc,
in you security pocilies set the LAN manager authentication level to 'NTLMv2 response only refuse LM & NTLM'

The passwords are only crackable if you have Win 9x machines in your doamin.

If you have Windows 2000/2003 domain without Win 9x machines then you passwords cannot be recovered.

Admins can prevent Windows 9x machines from logging in to the network.

This is reason enough to migrate to Windows XP.

Security as an Upgrade Path

[msgmonkey]

With regards to upgrading, I've come to the conclusion that even though MS says they want to improve security in their products having flaws is a great way to force people to upgrade.

I'ill give NT4 as an example which is EOL'd. You're a company who has managed to get your NT4 server rock solid. A new security flaw comes out and since NT4 is EOL'd MS says no security patch for you, upgrade to Win2K.

Of course if you was a complete conspiracy theorist you could say even MS would leak holes in their old prod

If You RTA

[deadlinegrunt]

You'll notice the line:

Users can protect themselves against the attack by adding nonalphanumeric characters to a password. The inclusion of symbols other than alphanumeric characters adds complexity to the process of breaking passwords--and that means the code cracker needs more time or more memory or both.

For those that don't realize considering the following for example:

# characters/Upper Case Only
8 /208,827,064,576
# characters/Upper, Lower, Numbers & Symbols
8 /6,634,204,312,890,620

This post is more for the types that really don't consider their password selection...

This week only

[Ptahian]

I smell a sale coming!

New New NEW. Lower Prices! Krazy Bill is just GIVING these away. Come on down. He's Krazy Krazy KRAZY to license this software with these terms! Get yours TODAY!

What The...?

[tds67]

Why do I keep getting ads for watches and chocolate now?

They *exploit* a Windows password flaw?

[YetAnotherName]

Sensational headline, don't you think Timothy? Swiss Researchers [i]exploited[/i] a password flaw?

I guess you could argue they [i]exploited[/i] it in order to publish their research results, as much as a planetary scientist exploits images of Mars to publish a new theory on subsurface water.

So?

[ioErr]

13.6 seconds or 101 seconds doesn't make much difference, now does it? The real problem is still getting administrator access to the target computer in the first place.

With distributed computing, why bother?

[jeeves99]

Cracking becomes easier if you have access to a distributed network. Parse the table into managable chunks and throw it out to 100 computers. While the time taken to crack the password might not scale down in a linear fashion [ie: time/(N computers)], it will most definately drop the crack time down to less than an hour for those computers with 12bit salts (4906*.6min= 41 hr, 41hr/100comps= 25 minutes).

Even if the 12 bit salt for mac/linux/etc was increased in size, a scale up in the number of computers used would defeat this added protection. The trend in the comp world seems to be more connectivity between large numbers of computers. All it takes is one disgruntled folding@Home grad student out at stanford to break even the most stringent password.

It seems that increasing the size of the salt would prevent the average script kiddie from breaking your password, but does nothing to alleviate the threat distributed computing presents. So what other options are there?

Re:With distributed computing, why bother?

[phkamp]

Nobody but old fashioned "enterprise" UNIXes like HPUX, AIX, Solaris use 12 bit salt.

FreeBSD started using 64 bit salt and MD5 scrambled passwords back in 1994 (when I wrote the code) and since then NetBSD, OpenBSD, Cisco, GLIBC and presumably MAC OSX have adopted that code.

Look for the tell-tale "$1$..." magic marker.

(The fact that GLIBC doesn't correctly attribute the algorithm is somewhat sad, but they refused to do so, even when asked directly).

Re:With distributed computing, why bother?

[rnd()]

I can see it now. People calling tech support saying "I just got a haircut and now my computer says 'Invalid Passpicture'".

I've always taken Microsoft security...

[wfberg]

with a grain of salt.

rimshot

I for one welcome our new Swiss Overlords!!!

[Picass0]

13.6 seconds! Aren't swiss watches wunderful?

Wow, less memory?

[Nanite]

Windows uses less memory to do this trick than Linux. Who knew Windows was so efficient at handling memory when being hacked?

Nanite

Welcome to the 90s

[jeeptj]

This authN method is 8 or 9 years old. You can disable the NT hash by using either a password length of more than 14 chars or by using a simple registry value on Windows 2000 SP2 systems or higher. This KB [microsoft.com] explains how. Any good sys admin should have the LM hash disabled on all Windows machines by default anyways and set strong passwords which contains more than simple letters and numbers.

Mindless Microsoft bashing at it's best!

Hack obsolete on curent Windows servers

[prisoner-of-enigma]

You can (and should) disable NTLM authentication if you're running Windows 2000 or 2003. This is very easy to do and makes any server immune to this type of hashing attack. It's even listed in Microsoft's Best Practices documentation for administrating their servers. It might cause problems with older Win9x clients, but there are updates to these clients that allow them to get along without NTLM.

If you're running Active Directory in Native Mode, NTLM is easily kicked to the curb. However, NT4 machines remain vulnerable to this hack. Yet another reason to just get off of NT.

Incorrect Information In The Article

[Jerk City Troll]

The article makes a statement that I think is untrue:

While an attacker would need administrator rights to a system to grab the file that contains the password hashes, the file is still valuable, said David Dittrich, a senior security researcher at University of Washington.

Using a tool like Cain & Able [www.oxid.it], it is possible to get access to this information without having administrative rights.

You can also dump the hashes using Cain & Able's password cracking tool. It is really quite trivial to do.

By the way, you can easily acquire the passwords of the last five users who logged into an NT system. They are stored in LSA "secrets", an area of memory which is easy to dump. Cain & Able does this for you.

Have fun.

Re:Incorrect Information In The Article

[alyandon]

Cain & Able requires you to install a service which requires administrative rights as well.

To sniff traffic it requires installing a packet driver... which also requires administrative rights.

The point of the article is not just Windows...

[HaloZero]

...password phr4c|
The point of the article is to show off a faster, new time-memory trade-off technique, not to just down-play Windows security. The manner in which Window's password security is built simply provided an error-free sandbox for this method to be tested, and exemplified.

Don't feed the trolls.

Only 4096 more time on Unix ?

[chrysalis]

I strongly disagree. Maybe this 4096 times applies to the traditional single DES crypt. But execept for some rare compatibilities issues with old systems or for dumb people that create Apache .htpasswd files with it, nobody uses single DES any more for years.

Passwords hashed with MD5 and Blowfish don't have the 8 character limitation. There are still some people who like to assign users passwords like "*9_p7Z9ox" even though their system doesn't use single DES any more. This is just plenty stupid. Not only it's a hell to remember for the end user, but it's damn fast to brute force when hashes are precomputed as described in this article.

A normal password like a real sentence (ex: "I'd like to have sex with Sandra") is not only way more easy to remember, it's also orders of magnitudes harder to brute force.

Re:Only 4096 more time on Unix ?

[pclminion]

I think they might be assuming a 12-bit salt added to the hash. This would make the hash dictionary 4096 times larger, since they would have to compute the hash of each password 4096 times (for each possible 12-bit salt value).

If this is the case, it implies that Windows password hashes do not use salts. Now, I'm not claiming that salting makes the process secure (it doesn't), but it does make it orders of magnitude more intensive to compute a complete hash dictionary. At the expense of 12 bits per password (hell, use more if you want!) it seems worth it to use salts.

UNIX uses 64 bits salt

[phkamp]

The MD5 based password scrambler I wrote for FreeBSD in 1994 uses a 64 bit salt, and has subsequently been adopted by NetBSD, OpenBSD, Cisco GLIBC and pressumbably MAC OSX.

There is no immediate future for a table driven attack on this algorithm (Which can be recognized by the '$1$...' prefix.

HP-UX, Solaris and AIX, however still use the old 12 bit salted DES derived passwords.

Why this doesn't matter AT ALL

[psamuels]

This isn't a security problem.

Windows password hashes (both the LanManager hash described here and the newer NT hash) are never sent "in the clear" over a network, or accessible to non-admins.

Why? Because they are plaintext-equivalent. Most NT network protocols treat the hash itself as a shared secret and do not make any attempt to verify that you know the actual password.

Yes, that's right. You already don't need to know the user's unencrypted password - except possibly for changing it (I can't remember offhand whether the various password-change calls require proof of knowledge of the old password - but I don't think they do either). Once an attacker gets the hashes out of your SAM, the game is already up, even if he can't decrypt them.

Given this fact, I sometimes wonder why Microsoft even bothered to try making NTLM a secure hash. BASE64 would have done pretty much the same job.

Move along, nothing to see here. Your passwords are just as secure, or as insecure, as they ever were.

Not really that much of an issue...

[MoogMan]

...in 13.6 seconds whereas it takes 101 seconds with the current approach using distinguished points.

To be honest, this isnt as much of a scare as most people would think. A person willing to crack a password in ~13.6 seconds would no doubt be willing to take the extra minute regardless.

Plus you need Administrator privelages to get the hash file anyways, so you'd be able to access anything needed locally anyways.

Finally, crackers wouldnt be able to escalate to these privelages in the first place (hey, they wouldnt have any access on the system), so there really isnt anything for anyone to be concerned.

Symbols in the password

[Nintendork]

If there are symbols in the password, techniques such as this don't work. Most security professionals recommend that password be at least 8 characters and contain random characters including upper and lower case letters, numbers, and symbols. A good example would be 8e#^D2(h

After a dozen or so times typing it in, you actually start to remember it. For those wondering, that password is something I just made up. I don't actually use it. =P~

-Lucas

Either Or

[telstar]

"According to the authors, the same method, when used on Mac OS X, Unix and Linux boxes, however, could require either 4,096 times more memory or 4,096 times longer."

• Do we get to choose?

What is not made clear...

[CommieLib]

Is that adequate passwords make this hack impossible. It relies on a "lookup table" (read, pregenerated dictionary attack results). If your password ain't in it, it ain't happening. Look, chances are, you speak at least few phrases of a foreign language. Dictionary attacks generally use English words; choose a couple of foreign words and numbers for your password, and all this crap goes away.

If you don't choose a decent password, then, well, your password will take five minutes to crack rather than 13.6 seconds. Feel better?

Re:What is not made clear...

[DaCool42]

Unless of course that lookup table contains not just dictionary words, but all alphanumeric combinations. Which I'm pretty sure is what they are doing. In any case, if your password is not in their list, they have certainly narrowed things down a lot.

Oh no! What about my PWLs!

[dmccarty]

Come on, this is just a bunch of anti-American FUD by the Swiss. It's widely known that the .pwl encryption method is the safest in the world!

Mindless Self Promotion

[Valar]

This is pretty much what my pet project (parasite, it's in my sig) does, except it does it for crypt and md5. I'm not really sure what windows uses. The main problem I have right now is actually with GCC under cygwin. It seems to choke sometimeson the large static arrays I use to speed things up. Works fine on everything else though.

Re:Time for OSX, UNIX, Linux

[A Commentor]

So you are not multiplying the proper time. So without any precalucated data, it takes 1m 41 secs, having this precalculated info drops it down to 13 sec.

Now to keep it close to 13 secs, you would need 4096x more data - 1.4G x 4096 = ~5.7 Terabytes.

If you don't have any data, and have 4096 more combinations, you need to take 4096 x 1m41s ~= 4.8 days. Not quite as bad but it still looks like like we need a few more bits for the password salt...

We should just make it a 64-bit salt and not have to worry about it until Quantum computers are viable..

Re:Lost Win XP Pro password

[Richardsonke1]

I'm not sure about XP, but 2000 had a CD that, with physical access to the machine, could very easily reset the admin password to whatever you wanted. All you did was boot up to the CD. Here's [experts-exchange.com] info about Windows 2000. Also, on Windows XP, there is an option to create a password reset disk when you first create your password, or Start->Control Panel->User Accounts. From there, choose the option to create a password reset disk. This only works for BEFORE you forget your password, and is quite unsaf

Re:Lost Win XP Pro password

[mgv]

You could recover your data using Knoppix [knoppix.net], which would let you boot into a system and read the file system. Unless you encrypted that.

Michael

Re:Lost Win XP Pro password

[zoloto]

Go here [eunet.no] and use their nt password recovery tool. Click here [eunet.no] for the floppy boot disk or click here [eunet.no] for the cd boot image (only 2.0 mb)

This works well on Win2k machines and WinXp boxes with sp 3 and 1 respectively as well as the native installs.

cheers!

Re:Gee...

[ncc74656]

I always thought there was something wrong with Microsofts password "encryption." Now it's confirmed.

Why bother cracking NT (and Win2K/XP) passwords when you can just overwrite [eunet.no] them? Boot from this floppy and you can change any local password (including the administrator). It's been useful on more than one occasion at work...when somebody quits or is fired, I can go in and retrieve everything in just a few minutes.

That they're nearly as trivial to crack is somewhat disturbing...but given the ready availability of the password changer, it doesn't make Windows significantly less secure than it already is (hell, it can't get much less secure).

physical access

[MORTAR_COMBAT!]

Boot from this floppy

Because this doesn't require physical access to the machine? Because now some l33t d00d from another country can get passwords?

Re:How does the salt work?

[digitalhermit]

The salt is stored in the hash itself. For example, on a pre-MD5 password ystem you would call the crypt function with the salt and plaintext. It would generate a hash with the first two letters being the salt you provided to crypt(). On more recent Un*x there's a (IIRC) 8 character salt embedded in the hash.

Re:WTF is it with you security guys!

[DaCool42]

You grab the password hash off the network with a sniffer. Then you can work at cracking it for as long as you like.