ibe98765 Posted August 16, 2004 Share Posted August 16, 2004 Cracking Windows passwords in secondsLast modified: July 22, 2003, 7:05 PM PDTBy Robert Lemos Staff Writer, CNET News.comIf your passwords consist of letters and numbers, beware. Swiss researchers released a paper on Tuesday outlining a way to speed the cracking of alphanumeric Windows passwords, reducing the time to break such codes to an average of 13.6 seconds, from 1 minute 41 seconds. The method involves using large lookup tables to match encoded passwords to the original text entered by a person, thus speeding the calculations required to break the codes. Called a time-memory trade-off, the situation means that an attacker with an abundance of computer memory can reduce the time it takes to break a secret code. The results highlight a fact about which many security researchers have worried: Microsoft's manner for encoding passwords has certain weaknesses that make such techniques particularly effective, Philippe Oechslin, a senior research assistant and lecturer at the Cryptography and Security Laboratory of the Swiss Federal Institute of Technology in Lausanne (EPFL), wrote in an e-mail to CNET News.com. "Windows passwords are not very good," he wrote. "The problem with Windows passwords is that they do not include any random information." Full article Try demo here: http://lasecwww.epfl.ch/~oechslin/projects...crack/index.phpFirst generate a hash code (or if you have the right tools, you can grab it off your system). Then paste the hash code into hash field box and click "Submit hash". Quote Link to comment Share on other sites More sharing options...
-ct- Posted August 16, 2004 Share Posted August 16, 2004 or i could just boot from a cd and be in the system to get any file at any time i want in under 30 secondsERD Commander is a nice tool Quote Link to comment Share on other sites More sharing options...
ibe98765 Posted August 16, 2004 Author Share Posted August 16, 2004 or i could just boot from a cd and be in the system to get any file at any time i want in under 30 secondsYes, but you need physical access to do this... Quote Link to comment Share on other sites More sharing options...
NRD Posted August 16, 2004 Share Posted August 16, 2004 I found that amazing...I've always used non-alpha characters in my passwords, but the speed at which it was able to crack mixed case alpha passes is incredible.I wonder how long it will be before text based authentication is a thing of the past. Quote Link to comment Share on other sites More sharing options...
ibe98765 Posted August 17, 2004 Author Share Posted August 17, 2004 I found that amazing...I've always used non-alpha characters in my passwords, but the speed at which it was able to crack mixed case alpha passes is incredible.I wonder how long it will be before text based authentication is a thing of the past.Yes, but the demo is only the tip of what they have done. From the CNET article:Oechslin, for example, has created a new version of his program using 20GB of lookup tables that can break passwords made of numbers, letters and 16 other characters in an average of 30 seconds for large batches of passwords. Quote Link to comment Share on other sites More sharing options...
Marsden11 Posted August 17, 2004 Share Posted August 17, 2004 It chocked on my hash... then gave up! But then, I don't use a simple alpha-numeric password... 18 characters, including special characters...MS considers it "strong." Quote Link to comment Share on other sites More sharing options...
Marsden11 Posted August 17, 2004 Share Posted August 17, 2004 In a couple of years we will all be using bio based scanned images and I don't think we will all be going around chopping off each others thumbs to gain access... Quote Link to comment Share on other sites More sharing options...
jar92380 Posted August 18, 2004 Share Posted August 18, 2004 you never know....... Quote Link to comment Share on other sites More sharing options...
Marsden11 Posted August 18, 2004 Share Posted August 18, 2004 ...News of serious flaws in the SHA-1 algorithm could, depending on the details, roil the computer security industry. Currently considered the gold standard of its class of algorithms, SHA-1 is embedded in popular programs like PGP and SSL. It's certified by the National Institute of Standards and Technology and is the only signing algorithm approved for use in the U.S. government's Digital Signature Standard. SHA-1 yields a 160-bit output, which is longer than MD5's 128-bit output and is considered more secure. Jim Hughes, general chairman of the Crypto 2004 conference, said on Tuesday morning that the news was sufficiently important that he was organizing the first Webcast in the conference's 24-year history. "There are three significant rump session papers on hash collisions that will be presented," including an update on Joux's findings, Hughes said in a message to a cryptography-related mailing list. The MD5, SHA-0, and SHA-1 algorithms are known to computer scientists as hash functions. They take all kinds of input, from an e-mail message to an operating-system kernel, and generate what's supposed to be a unique fingerprint. Changing even one letter in the input file results in a completely different fingerprint. Security applications rely on these fingerprints being unique. But if a malicious attacker could generate the same fingerprint with a different input stream, the cloned fingerprint--known as a hash collision--would certify that software with a back door is safe to download and execute. It would help a crook who wanted to falsely sign an e-mail instructing that someone's bank account be emptied... http://news.com.com/Crypto+researchers+abu....html?tag=st_lh I think it is pretty clear now that complex algoithms are not strong enough to withstand the pace of technology... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.