Windows Passwords: Guess-ability v/s Crack-ability

June 26th, 2007 | Category: Techno, Tools

Windows password complexity can often be misleading. A “complex” password may be hard to guess without reaching the account lockout threshold, but not necessarily hard to crack. On a recent engagement, I found that the password complexity policy and account lockout policies were set as recommended. The passwords had to be 8 characters long (at a minimum), alphanumeric and have at least one special character. With an account lockout threshold of 3, that’s a hard to guess password.

 

Now, crackability is a different issue. I ran into a 12 character long domain administrator password – alphabets, numbers, special characters, et al. How hard do you think that was to crack? It took the better part of 5 minutes. Let me caveat the following discussion by saying that the Windows domain in question did support LM hashes, making the job considerably easier.

 

I ran the password through ophcrack, using the built-in alphanumeric Rainbow Table. 20 seconds later, I had the first 7 characters of the password staring me in the face.

LM hashes can be cracked as two separate 7 character chunks. The first 7 characters in this case had no special characters – 1 numeral and 6 characters, and so the rainbow table got ‘em.

 

Next, I took this 7 character password segment and fed it into the dictionary file for John the Ripper and let it rip. On returning from a short bathroom break I found that the other 5 characters had cracked even though they had 2 special characters in them.

 

I know the weakness created by supporting LanMan hashes isn’t news to security pros, but to date I still see it supported in nearly every organization I assess.

 

The point I’m trying to drive home is a 12 character “complex” password may be hard to guess, but not necessarily hard to crack depending on its composition and hashing algorithm. Since LM hashed passwords behave like 2 separate passwords, when setting Windows passwords make each 7 character chunk complex with special characters, numbers and alphabets. Or even better don’t support LM hashes; set the HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LMCompatibilityLevel registry key to a value greater than 1. The counter argument to the second countermeasure is “But I have Windows 9x machines to support (that need LM)”. If that is the case DSClient.exe, from Microsoft can alleviate that problem. Better still get rid of those antiquated machines.

 

A fantastic book about passwords by Mark Burnett: Perfect Passwords

A great book on Windows security by Roger Grimes: Professional Windows Desktop and Server Hardening (Programmer to Programmer) (Don’t let the title fool you, this is a book for administrators, not programmers.)

–Rohyt

6 comments Digg this

6 Comments so far

  1. Edkar-Bierig July 29th, 2009 2:16 pm

    I cannot believe this will work!

  2. kevin November 20th, 2009 2:41 am

    I have downloaded windows password key 8.0. It is a very quick and useful utility for resetting passwords. It not only supports XP, 2000, and NT, I have personally tested it with Vista Home Premium and Ultimate. It works perfectly to reset any local user account to a blank password.
    Just an easy to use bootable CD/DVD . It can also be used on a USB Flash Drive. http://www.lostwindowspassword.com/

  3. coco December 23rd, 2009 2:41 am

    A hot software for cracking password is windows password reset 7.0. It supports to Windows 7 password reset, Windows Vista, XP, 2008, 2003 and 2000, etc. The size is very small, only 1.76M. And it works very fast. One second is done.

  4. PWRecovery December 24th, 2009 4:43 am

    Forgot or lost Windows password? reset Windows 7 password with Password Unlocker Bundle, one of whose functions is to recover windows password for Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 Server, Windows Vista, Windows 7. ect. This password recovery Bundle is based on friendly GUI, even a computer novice can control the whole process freely. Besides, password unlocker bundle saves a lot trouble. It helps to create a windows password reset CD, with which, you can remove the admin password even you have logged out the computer, yet no reinstalling, no data loss!
    Password Unlocker Bundle is a professinaol password recovery kit, which contains series of password recovery tools: Windows password recovery, PDF password recovery, MS documents password recovery, MS Excel password recovery, WinZIP/ZIP password recovery, WinRAR/RAR password recovery, MS SQL password recovery, Internet password recovery, Windows Live/MSN password recovery, MS Access password recovery, Outlook password recovery, and Outlook Express password recovery, etc., No matter you are at home or in office ,the bundle helps to reset the password we forgot or lost. To grasp the opportunity.

  5. tinker January 19th, 2010 2:07 am

    I know a simple way to reset windows password to blank when you forgot administrator password ,it need not to reinstall windows OS,and wont loss any data,by using “Any Windows Password Recovery 3.0 “. Maybe this could help .

  6. Chris January 27th, 2010 10:22 pm

    You can reset windows user account password in safe mode(F8 when booting up). But if you forgot administrator password, you must reinstall windows OS or use windows password recovery disk.
    http://www.windowsloginrecovery.com

Leave a reply

the best natural fertilizers pirodr! 666