Cracking Windows Passwords: Do You Feel Secure?

a2jfreaka2jfreak Houston, TX Member
edited July 2003 in Science & Tech
This kinda bites: http://news.com.com/2100-1009_3-5053063.html?tag=fd_top

Comments

  • maxanonmaxanon Montreal
    edited July 2003
    Nothing can really be secured electronically.
  • EMTEMT Seattle, WA Icrontian
    edited July 2003
    Someone should mod windows to make it use this "random salt" in the encrypted passwords :)
  • NixxerNixxer Nottingham, UK
    edited July 2003
    Somebody could make a Windows Password decoder watch, so we can all break passwords. Although it would be huge to have all the info from a reference table on.
  • hoojhooj Bournemouth, UK
    edited July 2003
    if you go here http://lasecpc13.epfl.ch/ntcrack/ they have the password cracker up and running.

    These are the people who designed the algorithm to crack the passwords
  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited July 2003
    Well, the only easy way I know to do that is encryption cracking. I kinda like shadowing passwords in Linux, which is a 256 bit encryption AFAIK.
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited July 2003
    This is yet another case of overblown media hype which causes every grandma & grandpa, aunt janet, and uncle mark, and mom & dad and cousin tim to frantically get on the phone and call their favorite computer hobbyist relative (most likely YOU) and tell them about this terrible NEW HACK that simply MUST be removed from their computer IMMEDIATELY. As if, suddenly becoming AWARE of an exploit that has existed for years makes them vulnerable. I hate when the media pulls this crap.

    Look, the NT community has known for a very long time that windows passwords just plain suck - hell, security in windows is a joke, period. That's why important computers run unix.

    First of all, understand that you must have admin access to get the lanman hash file. Of course, we all know that this is very simple to acheive on 94% of the windows computers in the world. But the lanman hash has always been easy to crack - ntcrack has been around since 1997. You can look at this in a couple of ways:

    1) This is yet another example of why good password policy is important. Not that it matters, 95% of the people in corporate america still use their kid's first name as their password, or something equally idiotic, like "god" or "ceo" or "fumblenutz1", not realizing that by adding a ~ or an ! to the end of their password would go leagues towards making it more secure. In this regard, absolutely nothing has changed as far as this "story" is concerned - so these dudes made it take 30 seconds instead of two hours to crack - sweet.

    2) This "news" is the mass-media variety - I'm sure we'll be seeing it on local evening news broadcasts, they love this "techie" crap - but it's not like CIOs and IT department heads don't already know about NT's bullcrap security. So this is just another case of "wow, this will make great 10:55pm end of the night news! Let's scare the crap out of all the home broadband users!"

    Moral of the story: Security in windows has always sucked - this is NOT new. Use @#*&@#*& in your passwords, please.
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited July 2003
    Ageek said
    Well, the only easy way I know to do that is encryption cracking. I kinda like shadowing passwords in Linux, which is a 256 bit encryption AFAIK.

    Not that that matters either - a 256bit encrypted version of "bob" or "1234" is still a bullcrap password. People need to realize that using passwords like "UIT23jjfje__12!!!*~k" are the only way to make passwords more secure. Believe me, no matter how encrypted it is, if it's a simple word or number or word/number combo, modern crack programs can slice through them easily - you'll see in an article that I'm working on for short-media :)
  • a2jfreaka2jfreak Houston, TX Member
    edited July 2003
    No, but a better attempt can, nay, should, be made.
    maxanon said
    Nothing can really be secured electronically.




    Perhaps it does get a bit blown out of proportion, but it still poses a risk that could be greatly reduced by simply adding a few bits of random data while encrypting the passwords.
    primesuspect said
    This is yet another case of overblown media hype which causes every grandma & grandpa, aunt janet, and uncle mark, and mom & dad and cousin tim to frantically get on the phone and call their favorite computer hobbyist relative (most likely YOU) and tell them about this terrible NEW HACK that simply MUST be removed from their computer IMMEDIATELY. As if, suddenly becoming AWARE of an exploit that has existed for years makes them vulnerable. I hate when the media pulls this crap.

    Look, the NT community has known for a very long time that windows passwords just plain suck - hell, security in windows is a joke, period. That's why important computers run unix.

    First of all, understand that you must have admin access to get the lanman hash file. Of course, we all know that this is very simple to acheive on 94% of the windows computers in the world. But the lanman hash has always been easy to crack - ntcrack has been around since 1997. You can look at this in a couple of ways:

    1) This is yet another example of why good password policy is important. Not that it matters, 95% of the people in corporate america still use their kid's first name as their password, or something equally idiotic, like "god" or "ceo" or "fumblenutz1", not realizing that by adding a ~ or an ! to the end of their password would go leagues towards making it more secure. In this regard, absolutely nothing has changed as far as this "story" is concerned - so these dudes made it take 30 seconds instead of two hours to crack - sweet.

    2) This "news" is the mass-media variety - I'm sure we'll be seeing it on local evening news broadcasts, they love this "techie" crap - but it's not like CIOs and IT department heads don't already know about NT's bullcrap security. So this is just another case of "wow, this will make great 10:55pm end of the night news! Let's scare the crap out of all the home broadband users!"

    Moral of the story: Security in windows has always sucked - this is NOT new. Use @#*&@#*& in your passwords, please.




    Yes! Yes! Yes! Now I know your password! Now I can control the, erm, well, I guess I can't trully control squat with that password. Oh well.
    primesuspect said


    Not that that matters either - a 256bit encrypted version of "bob" or "1234" is still a bullcrap password. People need to realize that using passwords like "UIT23jjfje__12!!!*~k" are the only way to make passwords more secure. Believe me, no matter how encrypted it is, if it's a simple word or number or word/number combo, modern crack programs can slice through them easily - you'll see in an article that I'm working on for short-media :)
Sign In or Register to comment.