lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <176745228.20030723190837@chabot.net>
From: marc at chabot.net (Marc Chabot (.net))
Subject: Windows passwords are GARBAGE !

==== 1. News and Views ====
   by Paul Thurrott, thurrott@...netmag.com

Researchers Crack Windows Passwords in Seconds

   Swiss researchers have developed a password-cracking scheme, based
on a method first developed in 1980, that lets them crack most Windows
passwords in about 13 seconds (the original method takes more than a
minute and a half longer). The scheme enforces a growing concern in
the security community that the way in which Microsoft encodes
passwords in Windows is inherently weak, opening the door for cracking
programs to use brute-force methods to test and break passwords.

   Philippe Oechslin, one of the Swiss researchers, recently published
an online paper, "Making a Faster Cryptanalytic Time-Memory
Trade-Off," which highlights the new password-cracking scheme.
Oechslin will present the paper in August at Crypto 2003, an
international cryptology conference held this year at the University
of California, Santa Barbara and organized by the International
Association for Cryptologic Research (IACR) in cooperation with the
IEEE Computer Society Technical Committee on Security and Privacy.

   "As an example, we have implemented an attack on MS-Windows
password hashes," the researchers write. "Using 1.4GB of data (two
CD-ROMs) we can crack 99.9 percent of all alphanumerical passwords
hashes ... in 13.6 seconds whereas it takes 101 seconds with the
current approach using distinguished points. We show that the gain
could be even much higher depending on the parameters used."

   Oddly, the researchers weren't interested in cracking Windows
passwords but rather were trying to demonstrate the previous
theoretical cryptanalytic time-memory trade-off technique. They note
that Microsoft's passwords are weak because, when encrypted, they
don't include any random information. Thus, the same password on two
Windows machines will always be the same when encrypted, which makes
breaking the password encryption much easier than if the passwords
were randomized.

   Although generating more secure passwords by using nonalphanumeric
characters and other special characters is possible, the researchers
say that even this approach won't solve the inherent problem in
Windows because all they'd need is more time or a larger data set (or
both) to crack those passwords as well. Instead, Microsoft will have
to fix this feature to encrypt passwords with random information, the
researchers say.

-- 
Best regards,
 CanonBall                          mail to:   marc@...bot.net

Encourage bacteria: it's the only culture some people have!


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ