Cracking Windows Passwords In Seconds

[Alpine]

Swiss researchers released a paper on Tuesday outlining a way to speed the cracking of alphanumeric Windows passwords, reducing the time to break such codes to an average of 13.6 seconds from 1 minute 41 seconds. The method involves using large lookup tables to match encoded passwords to the original text entered by a user, thus speeding the calculations required to break the codes. Called a time-memory trade-off, the situation means that an attacker with an abundance of computer memory can reduce the time it takes to break a secret code.

The results highlight a fact about which many security researchers have worried: Microsoft's manner for encoding passwords has certain weaknesses that make such techniques particularly effective, Philippe Oechslin, a senior research assistant and lecturer at the Cryptography and Security Laboratory of the Swiss Federal Institute of Technology in Lausanne (EPFL), wrote in an e-mail to CNET News.com. "Windows passwords are not very good," he wrote. "The problem with Windows passwords is that they do not include any random information."

Source:
http://news.com.com/2100-1009_3-5053063.html?tag=fd_top

BugTraq Archive - Cracking windows passwords in 5
seconds
http://www.securityfocus.com/archive/1/330004


LASEC - Advanced Instant NT Password Cracker (actual working web based demo):
http://lasecpc13.epfl.ch/ntcrack

[Alpine]

What do u thinks about that !!

Please .. post comments !!

Thx !

[~*McoreD*~]

i know; this is shocking.
afai understood this cracker needs hashes to be dumped from the computer.
for that you have to have administrator rights on your computer. and theres are some tools to dump passwords form your computer.

i don't know what will be the Microsoft's solution for this. but as they state in their Help and Support:

Quote:

Why you should not run your computer as an administrator
Running Windows 2000 or Windows XP as an administrator makes the system vulnerable to Trojan horses and other security risks. The simple act of visiting an Internet site can be extremely damaging to the system. An unfamiliar Internet site may have Trojan horse code that can be downloaded to the system and executed. If you are logged on with administrator privileges, a Trojan horse could do things like reformat your hard drive, delete all your files, create a new user account with administrative access, and so on.

You should add yourself to the Users or Power Users group. When you log on as a member of the Users group, you can perform routine tasks, including running programs and visiting Internet sites, without exposing your computer to unnecessary risk. As a member of the Power Users group, you can perform routine tasks and you can also install programs, add printers, and use most Control Panel items. If you need to perform administrative tasks, such as upgrading the operating system or configuring system parameters, then log off and log back on as an administrator.

If you frequently need to log on as an administrator, you can use the runas command to start programs as an administrator. For more information, see To start programs as an administrator.

i would strongly suggest everyone to use Limited User accounts.
have all the passwords created by a strong passwords generator.
the free Command Prompt method is

net user UserName /random

e.g.

Code:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\McoreD>net user McoreD /random
Password for McoreD is: xcLkJ:rj

The command completed successfully.

C:\Documents and Settings\McoreD>

[Galen]

What is Microsoft going to do? lol First they'll probably sit on theit butts for a month or two, then if they have seen enough pass cracking going on, they might get up and do something about it. Unfortunately, Mircosoft is and always has been more money oriented and not as focused on thier product. A good reason we havn't seen anything new in windows for a long time. And as for not running in admin mode, that's a good idea, and it's true for any OS, windows, linux or otherwise. Thanks for the info Alpine.