Microsoft Passwords easy to crack?

Discussion in 'other security issues & news' started by Antarctica, Jul 24, 2003.

Thread Status:
Not open for further replies.
  1. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,617
    Location:
    Canada
    From CNET News Security.

    http://zdnet.com.com/2100-1105_2-5053063.html
     
  2. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    Nothing new but faster than the well known ways like L0phtcrack and john the ripper and really easy to prevent ;)
    For WinXP for instance :
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa Modify or create the DWORD value NoLMHash Value 1.
    Reboot and change all users'pwds and you are done ;)
     
  3. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    :p JacK, maybe I'm a little dense on this, but can you tell me what the point of the Swiss (or anybody else for that matter) publicly announcing (and at the same time -exposing-) stuff like this which apparently assists in the compromise of most systems? Is it a test in the ongoing battle or something?
     
  4. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello A+WM,

    Just sensationnalism AFM : Everybody knows for years the weakness of the old LM hash passwords stored... (if you run W98/Me, god help you ...) No need on Win2K and up.

    This password hash (the LM hash) hasn't been safe for years . . . the average time to crack went from like a minute to a few seconds. Big deal. It only took minutes before, it's not any
    less safe now. L0phtcrack has been praying on the LM hash for years successfully. However as part of a good defense in
    depth if you remove the LM hash from the SAM, LC4 will have a MUCH tougher time cracking your passwords if at all. If
    you remove the hash from the SAM and use a password / passphrase like "You;will;never;ever;guess;this!" and LC4 will
    never crack it in any reasonable amount of time (especially if you force passwords to expire every 42 days etc.).


    I recommand to read : http://support.microsoft.com/?id=299656
    and : http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/Windows/Win2kHG/03OSInstl.asp

    I have seen some giving their @mail and asking the programm to find the pwd which will be publish on the site ! As the lambda user often uses the same authentication to login on the W3, it's kind of supermarket for scriptkiddies.... One might also ask for the pswd for some proxies....

    Really a bad idea to put that in the open.

    Really stupid from "seakers" IMHO

    Rgds,
     
  5. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    :eek: Thanks very much, JacK...'seems like I have ALOT of study ahead about this...geez...
     
  6. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    The fun part is of course that these Swiss were not only able to create a lookup table for the bad lanman hash, but for the NT hash as well. This password encryption scheme is lots better than the lanman hash, but it still contains one major weakness:
    For other OS's you can't use a lookup table, because there's no direct relation between the entered password and the encrypted form of the password.

    So you may call this a marketing plot for exposing an old vulnerability, to me this is applied science. Before you could only use password cracking tools, which means that the risk of exploiting other peoples password was a more or less academic risk. Right now, thanks to this academy it's a real threat.
     
  7. keith2468

    keith2468 Registered Member

    Joined:
    Jul 26, 2003
    Posts:
    1
    If you have or can get access to the password file you probably also have or can get access to install a keystroke logger. A keystroke logger will eventually end up giving you all the passwords, not just the M$ related ones.

    Which makes the whole discussion of decrypting the password file less of a practical concern and more an interesting academic exercise.

    The other thing is that passwords aren't encryption. Password protection does not safeguard your files they way encryption does. Password protection only prevents standard tools reading files.

    This is like discussing the theft of automobiles or car stereo systems.

    - It shouldn't suprise anyone the crime can be done. (The US army has had tanks stolen. Crimes is really hard to totally prevent.)

    -Publishing step-by-step how-to's to an audience that includes criminals (on occassions when that happens) in order to boost sales of a protection service or to gain publicity is ethically unacceptable for a professional.

    On the other hand, the general public does need to have general information on how to prevent serious breeches of security.
     
  8. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello, It just confirm you need to use strong pwds ;)

    I give NTHash as I don't use LMHash : nope : unable to find a rather weak pwd 8 caracters NiB:)J0!

    Rgds,
     
  9. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello, No need for a keylogger : if you have access with an Admin account, that means root access, nothing else needed ;)

    Rgds,
     
  10. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
  11. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Thanks for the reg hack, JacK! Done. Pete
     
Loading...
Thread Status:
Not open for further replies.