| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 35889 | 2003-07-24 11:52:00 | OT: Windows passwords cracked in 13 seconds | agent (30) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 162611 | 2003-07-24 11:52:00 | Just thought I'd warn those who give a toss that Windows passwords are extremely insecure. PC Authority (www.pcauthority.com.au) article has news on it, including new-fangled words like "cryptanalytic" and "time-memory". Looks like my next password will have a few non alphanumeric characters in it for the sake of extra time. And as a side note, can anyone tell me why adding random characters to a password before it is hashed makes it more secure? And how to do this, and how the verifying system knows what random characters were used? As I'd like to create a website login system that implements that. |
agent (30) | ||
| 162612 | 2003-07-24 12:12:00 | Yes its a well known fact that they can be cracked in that time. This aint brand new information. Only occurs if the user has access to the computer and can copy the SAM file to another location. To crack it in that time, the specific password has to be in the dictionary. Then if the computer is only using LM authentication, then it takes hardly any time at all to crack. If the machine is using NTLM authentication, then it takes a lot longer, and you have to brute force the passwords. |
PoWa (203) | ||
| 162613 | 2003-07-25 01:13:00 | > Yes its a well known fact that they can be cracked in > that time. This aint brand new information. Only > occurs if the user has access to the computer and can > copy the SAM file to another location. To crack it in > that time, the specific password has to be in the > dictionary. > > Then if the computer is only using LM authentication, > then it takes hardly any time at all to crack. If the > machine is using NTLM authentication, then it takes a > lot longer, and you have to brute force the > passwords. Actually I don't think he's talking about a dictionary attack, nor LH hashes. I expect he is refering to this: At LASEC (lasecwww.epfl.ch) we have developed an advanced time-memory trade-off method. It is based on original work which was done in 1980 but has never been applied to windows passwords. It works by calculating all possible hashes in advance and storing some of them in an organized table. The more information you keep in the table, the faster the cracking will be. We have implemented an online demo of this method which cracks alphanumerical passwords in 5 seconds average (see lasecpc13.epfl.ch). With the help of 0.95GB of data we can find the password after an average of 4 million hash operation. A brute force cracker would need to calculate an average of 50% of all hashes, which amounts to about 40 billion hases for alphanumerical passwords (lanman hash). |
BIFF (1) | ||
| 162614 | 2003-07-25 02:19:00 | Your are right there Biff and they have got it down to 5 seconds now. | mikebartnz (21) | ||
| 162615 | 2003-07-25 03:33:00 | Agent, You must have misread it, after it's encrypted random information is then added, that way if someone out there figured out the way to reverse the algorithm that created the password it would be thrown off by the random information added. It makes it secure to a point, but once someone learns how the random information was added and the algorithm reversed, it'll be a whole new story of trying to come up with another unbreakable algorithm. I hope you understand the encryption, algorithm the whole schamozzle. There are many ways to implement this for websites, first would be encrypting the password with your algorithm then the random characters could be generated from a piece of hardware in your system, maybe an encrypted string of your hard drive's serial, anything really that no one else would have, so it's your own machines specifics, the more you put into it the more protection you can add, but it's time consuming, and no matter what you do, it's only making it improbable to crack, not impossible. Sometimes you have to level out what is more important, getting presence on the web or just spending ages on protecting it. With the amount of flaws found in software, they may not even require breaking your algorithm to get in. |
Kame (312) | ||
| 162616 | 2003-07-25 09:14:00 | for you not so encyption savy people have a read of how it works here (computer.howstuffworks.com) | roofus (483) | ||
| 162617 | 2003-07-25 10:55:00 | Thanks for the link Roofus, i was a bit lost till u posted that link. This stuff is too complicated. :) cheers, v.K |
vk_dre (195) | ||
| 162618 | 2003-07-25 10:56:00 | > Thanks for the link Roofus, i was a bit lost till u > posted that link. This stuff is too complicated. :) Just kidding....:D so can u guys summarise wot u have written, cos there is 2 much to read. cheers, v.K |
vk_dre (195) | ||
| 1 | |||||