[<prev] [next>] [day] [month] [year] [list]
Message-ID: <176745228.20030723190837@chabot.net>
From: marc at chabot.net (Marc Chabot (.net))
Subject: Windows passwords are GARBAGE !
==== 1. News and Views ====
by Paul Thurrott, thurrott@...netmag.com
Researchers Crack Windows Passwords in Seconds
Swiss researchers have developed a password-cracking scheme, based
on a method first developed in 1980, that lets them crack most Windows
passwords in about 13 seconds (the original method takes more than a
minute and a half longer). The scheme enforces a growing concern in
the security community that the way in which Microsoft encodes
passwords in Windows is inherently weak, opening the door for cracking
programs to use brute-force methods to test and break passwords.
Philippe Oechslin, one of the Swiss researchers, recently published
an online paper, "Making a Faster Cryptanalytic Time-Memory
Trade-Off," which highlights the new password-cracking scheme.
Oechslin will present the paper in August at Crypto 2003, an
international cryptology conference held this year at the University
of California, Santa Barbara and organized by the International
Association for Cryptologic Research (IACR) in cooperation with the
IEEE Computer Society Technical Committee on Security and Privacy.
"As an example, we have implemented an attack on MS-Windows
password hashes," the researchers write. "Using 1.4GB of data (two
CD-ROMs) we can crack 99.9 percent of all alphanumerical passwords
hashes ... in 13.6 seconds whereas it takes 101 seconds with the
current approach using distinguished points. We show that the gain
could be even much higher depending on the parameters used."
Oddly, the researchers weren't interested in cracking Windows
passwords but rather were trying to demonstrate the previous
theoretical cryptanalytic time-memory trade-off technique. They note
that Microsoft's passwords are weak because, when encrypted, they
don't include any random information. Thus, the same password on two
Windows machines will always be the same when encrypted, which makes
breaking the password encryption much easier than if the passwords
were randomized.
Although generating more secure passwords by using nonalphanumeric
characters and other special characters is possible, the researchers
say that even this approach won't solve the inherent problem in
Windows because all they'd need is more time or a larger data set (or
both) to crack those passwords as well. Instead, Microsoft will have
to fix this feature to encrypt passwords with random information, the
researchers say.
--
Best regards,
CanonBall mail to: marc@...bot.net
Encourage bacteria: it's the only culture some people have!
Powered by blists - more mailing lists