Password Cracking

  pauldonovan 10:10 04 Jan 2006

Hopefully this won't get dropped due to the title. This isn't a request or a provision of information.

All I wanted to say was I was very surprised when I had to investigate this area (as one of our executives had an old laptop and couldn't remember the password) how easy it was to change the passwords on a local PC. It was done within about 15 minutes of researching it.

It also made me wonder, whether Microsoft encrypt the passwords stored on a PC and if so has that encryption ever been leaked? I have not heard of a software tool that 'displays' the passwords, only ones that can change them. I guess even to do that the encryption (if any) must be known.

I hope I won't get flamed for this - i'm not a 'hacker' just using a tool to help a colleague with a spot of bother and would not use for any other means. It just intrigued me is all.

  Chegs ®™ 11:45 04 Jan 2006

There are lots of freely available tools and pages of info on hacking/cracking encryption online,be it WEP/WPA wireless codes,to OS passwords.I am interested in PC security and looked up a heap of info,initially via google but then google reported they're "filtering" their info but there are more than just google search engines about.My knowledge of these things is poor as I simply can't retain the necessary details to use them,although I have played with WEP cracking on my LAN and was amazed to find I could "break" my 128 bit codekey inside 20 minutes.

  pauldonovan 11:53 04 Jan 2006

interest in this stuff, otherwise you don't know what is possible and that could lead to you being unknowingly 'vulnerable'.

Physical security always plays some part but I think you really need to be looking towards 2 factors (e.g. a pin number and a physical device with a code on it - a keyfob like RSA's) or fingerprints etc. to get any security.

I think people would be surprised to know that their password actually means very little in many cases.

  wee eddie 12:24 04 Jan 2006

From a friend in Military Security about 3 years ago.

"If we had undisturbed use of any PC or Laptop for 24 hours, there is no code that you could remember that would deny us access."

"Give us 2 hours and we will be able to enter all but the very few."

On that basis, I use passwords that are historical but simple, as that will deny access to the casual hacker.

  Forum Editor 16:43 04 Jan 2006

can be discovered eventually - some take longer than others, that's all.

The fact is that 99% of the people who use home computers don't have any data that is so important it has to be protected from hackers. Machines which really do need protection have other security measures in place, besides passwords, to prevent intrusion, and some of those measures are very secure.

One of my clients is a merchant bank, and I designed a web site which was for their private banking clients to access their investment portfolios remotely. The bank was absolutely terrified about unauthorised access, and I spent days with their head-office staff discussing ways in which I was going to secure the site. The result was a site that has been online for two years without a single security breach - despite several serious hacking attempts. I can't divulge details of how we protect the data, but we certainly don't rely on passwords.

  pauldonovan 17:24 04 Jan 2006

"99% of the people who use home computers don't have any data that is so important it has to be protected from hackers"

Bit of a generalisation that I've heard before on here, I think from Gandalf, and it troubles me a bit. I think it could encourage the view that security at home isn't important. In any case, it isn't just about data. How many of that 99% use internet banking or have remote access to their offices from home? Should their machines not be protected from hackers just because they don't have 'important data' on them? It all depends on how you define hackers, important data etc.

My post wasn't really just about home computer users although perhaps that is the target audience of this forum/magazine? Why is there so much in magazines about security, firewalls, virus scanning if people's home machines aren't worth protecting from hackers? Does someone who emails you a virus count as a hacker if they are trying to harvest PCs for malicious use?

In any case, it wasn't 'hackers' (traditionally viewed as outside people getting in IMHO) so much i'm worried about as by the time they're presented with a login prompt to your work/home PC they are already 'in'.... it was more the possibility that any tech-savvy person armed with a CD-ROM (e.g. employee, plumber, cleaner) could walk into your office/home and get past passwords and many people might not be aware of that.

I'm not trying to be confrontational with this, just exploring our differing understandings of this topic.

  Haol 17:56 04 Jan 2006

Windows encrypts its passwords in the SAM file using a one way encryption meaning it can't be decrypted which is not true as there are many programs out there that are capable of decrypting it. So as far as Windows being safe, that's not true either.

  ade.h 18:46 04 Jan 2006

What about hardware passwords? Are they more secure than the Windows password? Especially one that accepts a limited number of attempts?

I use the built-in hardware password on my laptop, with a fairly complex key, if only to frustrate a thief should the worst happen.

How easy is it to crack, given that a random password generator would not work, due to the attempt limit?

  Haol 19:18 04 Jan 2006

Are you talking about a bios password? If so then there are several ways of doing this and most are pretty easy.

  ade.h 19:27 04 Jan 2006

No I'm not; this is very different to a BIOS password. I'm talking about a hardware password that appears everytime you switch on the computer. If you don't enter the password, nothing will boot.

  DieSse 19:34 04 Jan 2006

But surely this is just a password built-in to the BIOS (NOT a password to access the BIOS - that's possible also, but different).

Trouble with BIOS passwords is - take out the battery - the BIOS stored parameters clear - and hey presto the passwords gone!

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Samsung Galaxy S9 review

Wacom Cintiq Pro 24 and 32 review – hands-on

When is the next Apple event?

Qu’est-ce qu’Amazon Prime ?