Windows Passwords: Guess-ability v/s Crack-ability

June 26th, 2007 | Category: Techno, Tools

Windows password complexity can often be misleading. A “complex” password may be hard to guess without reaching the account lockout threshold, but not necessarily hard to crack. On a recent engagement, I found that the password complexity policy and account lockout policies were set as recommended. The passwords had to be 8 characters long (at a minimum), alphanumeric and have at least one special character. With an account lockout threshold of 3, that’s a hard to guess password.

 

Now, crackability is a different issue. I ran into a 12 character long domain administrator password – alphabets, numbers, special characters, et al. How hard do you think that was to crack? It took the better part of 5 minutes. Let me caveat the following discussion by saying that the Windows domain in question did support LM hashes, making the job considerably easier.

 

I ran the password through ophcrack, using the built-in alphanumeric Rainbow Table. 20 seconds later, I had the first 7 characters of the password staring me in the face.

LM hashes can be cracked as two separate 7 character chunks. The first 7 characters in this case had no special characters – 1 numeral and 6 characters, and so the rainbow table got ‘em.

 

Next, I took this 7 character password segment and fed it into the dictionary file for John the Ripper and let it rip. On returning from a short bathroom break I found that the other 5 characters had cracked even though they had 2 special characters in them.

 

I know the weakness created by supporting LanMan hashes isn’t news to security pros, but to date I still see it supported in nearly every organization I assess.

 

The point I’m trying to drive home is a 12 character “complex” password may be hard to guess, but not necessarily hard to crack depending on its composition and hashing algorithm. Since LM hashed passwords behave like 2 separate passwords, when setting Windows passwords make each 7 character chunk complex with special characters, numbers and alphabets. Or even better don’t support LM hashes; set the HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LMCompatibilityLevel registry key to a value greater than 1. The counter argument to the second countermeasure is “But I have Windows 9x machines to support (that need LM)”. If that is the case DSClient.exe, from Microsoft can alleviate that problem. Better still get rid of those antiquated machines.

 

A fantastic book about passwords by Mark Burnett: Perfect Passwords

A great book on Windows security by Roger Grimes: Professional Windows Desktop and Server Hardening (Programmer to Programmer) (Don’t let the title fool you, this is a book for administrators, not programmers.)

–Rohyt

7 comments Digg this

7 Comments so far

  1. Chris January 27th, 2010 10:22 pm

    You can reset windows user account password in safe mode(F8 when booting up). But if you forgot administrator password, you must reinstall windows OS or use windows password recovery disk.
    http://www.windowsloginrecovery.com

  2. lost windows password February 10th, 2010 12:33 am

    If you lost windows password. I think the best solution is making a windows password recovery disk with the third part utility. The disk works perfectly to recover windows password to “Blank”.It is also useful for administrator password recovery, you can wrote it to an blank CD or USB flash drive to recover administrator password. Booting up and clearing a password takes a minute or two works like a charm.

  3. czpuck February 26th, 2010 5:23 am

    You can use the windows password recovery tool “Any Windows Password Recovery 3.0 ” to help bypass windows password http://www.anypasswordrecovery.com/,it need not to reformat or reinstall windows OS,then with no data losing.Its safe.

  4. pusdck February 26th, 2010 5:25 am

    You can use the windows password recovery tool “Any Windows Password Recovery 3.0 ” to help bypass windows password http://www.anypasswordrecovery.com/ ,it need not to reformat or reinstall windows OS,then with no data losing.Its safe.

  5. annyyu22 May 6th, 2010 2:28 am

    Yeah nice idea ,Thank you!
    I was forgot the password several days ago. According to your suggustion ,now I have solved it .
    I found one software call “windows password key 8.0 “to get back the password is the best easy and useful tool !

  6. Tony August 23rd, 2010 10:22 pm

    it didn’t work for my computer either.
    then I try http://www.top-password.com/reset-windows-password.html
    it worked.

  7. Dale August 25th, 2010 2:51 am

    Forgot windows password? Do not be so anxious. I know a tool – Windows Password Reset Kit 1.5, which can help reset windows password, need not to reinstall the windows os, it’s safe and easy. You could get the windows password recovery tool from the reference link: http://www.reset-windows-password.net

Leave a reply

the best natural fertilizers pirodr! 666