Windows Passwords: Guess-ability v/s Crack-ability
Windows password complexity can often be misleading. A “complex” password may be hard to guess without reaching the account lockout threshold, but not necessarily hard to crack. On a recent engagement, I found that the password complexity policy and account lockout policies were set as recommended. The passwords had to be 8 characters long (at a minimum), alphanumeric and have at least one special character. With an account lockout threshold of 3, that’s a hard to guess password.
Now, crackability is a different issue. I ran into a 12 character long domain administrator password – alphabets, numbers, special characters, et al. How hard do you think that was to crack? It took the better part of 5 minutes. Let me caveat the following discussion by saying that the Windows domain in question did support LM hashes, making the job considerably easier.
I ran the password through ophcrack, using the built-in alphanumeric Rainbow Table. 20 seconds later, I had the first 7 characters of the password staring me in the face.
LM hashes can be cracked as two separate 7 character chunks. The first 7 characters in this case had no special characters – 1 numeral and 6 characters, and so the rainbow table got ‘em.
Next, I took this 7 character password segment and fed it into the dictionary file for John the Ripper and let it rip. On returning from a short bathroom break I found that the other 5 characters had cracked even though they had 2 special characters in them.
I know the weakness created by supporting LanMan hashes isn’t news to security pros, but to date I still see it supported in nearly every organization I assess.
The point I’m trying to drive home is a 12 character “complex” password may be hard to guess, but not necessarily hard to crack depending on its composition and hashing algorithm. Since LM hashed passwords behave like 2 separate passwords, when setting Windows passwords make each 7 character chunk complex with special characters, numbers and alphabets. Or even better don’t support LM hashes; set the HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LMCompatibilityLevel registry key to a value greater than 1. The counter argument to the second countermeasure is “But I have Windows 9x machines to support (that need LM)”. If that is the case DSClient.exe, from Microsoft can alleviate that problem. Better still get rid of those antiquated machines.
A fantastic book about passwords by Mark Burnett: Perfect Passwords
A great book on Windows security by Roger Grimes: Professional Windows Desktop and Server Hardening (Programmer to Programmer) (Don’t let the title fool you, this is a book for administrators, not programmers.)
–Rohyt
4 comments Digg this4 Comments so far
Leave a reply
You can reset windows user account password in safe mode(F8 when booting up). But if you forgot administrator password, you must reinstall windows OS or use windows password recovery disk.
http://www.windowsloginrecovery.com
If you lost windows password. I think the best solution is making a windows password recovery disk with the third part utility. The disk works perfectly to recover windows password to “Blank”.It is also useful for administrator password recovery, you can wrote it to an blank CD or USB flash drive to recover administrator password. Booting up and clearing a password takes a minute or two works like a charm.
You can use the windows password recovery tool “Any Windows Password Recovery 3.0 ” to help bypass windows password http://www.anypasswordrecovery.com/,it need not to reformat or reinstall windows OS,then with no data losing.Its safe.
You can use the windows password recovery tool “Any Windows Password Recovery 3.0 ” to help bypass windows password http://www.anypasswordrecovery.com/ ,it need not to reformat or reinstall windows OS,then with no data losing.Its safe.