RSSWindows Password Flaw Revealed
By David Worthington | Published July 24, 2003, 12:04 AM
In the snap of a finger, or a blink of an eye, your Windows password could be cracked. Swiss researchers have published a paper citing a weakness in Windows encryption allowing passwords to be revealed in an average of 13.6 seconds.
Most security experts recommend alphanumeric passwords for enhanced security. Despite even having following this precaution, users of Microsoft Windows are at risk due to the security designs of the operating system.
Alternatives such as Unix, Linux/GNU, and Macs have utilized a well-known component dubbed “salt” as their password hashes for years – these containing up to 4,096 values. Windows does not, instead relying on aging 7-bit LANMan and more recent NTHASHmaking hashes – making a brute force attack’s look-up time less of a chore.
Resurrecting a decades old year old computer science theorem, Philippe Oechslin, a fellow of the Cryptography and Security Laboratory of the Swiss Federal Institute of Technology in Lausanne (EPFL) dreamed up pre-calculated lookup tables to assist in breaking passwords encoded with Windows.
As a result of these tables, fewer calculations need to be performed by an attacker’s machine. Termed “time-memory trade-off”, the more memory attacker posses; the faster the attack.
The following text is cited from the paper:
"As an example we have implemented an attack on Windows password hashes. Using 1.4 GB of data we can crack 99.9 percent of all alphanumerical passwords hashes in 13.6 seconds, whereas it takes 101 seconds with the current approach using distinguished points."
An AMD Athlon XP 2500+ processor with 1.5 GB of RAM executed the test.
The researchers were so sure of their findings that they crafted a Webpage to publicly demonstrate the flaw. After receiving a queued request, the site eventually lists the corresponding email, hash and password. Although each user is permitted to crack only one password, the queue had to be toned down due to overwhelming demand.
Administrative access and special applications are needed to pull up the password in its raw form, making the site something less of a public spectacle. However, it has made the folks a Redmond a bit flushed.
Oechslin did not feel the need to contact the software giant with his findings since it is well known that Microsoft does not use “salt”. Microsoft was not reached for comment, and prefers to work in cohesion with third parties in the event of any security breach.
In the meantime, users can add symbols into their password mix.
Finally if you'll take a look at their stats at http://lasecpc13.epfl.ch/ntcrack/stats.php . Approximately 38% of all submitted hashes had been cracked. So?
Score: 0
|Ive been hacked by the sweeds. Im going to bed.
Score: 0
|My system is 100% secured with Windows XP.
I don't believe anyone can hack my system!!
MS rules!
Score: 0
|If you are so sure, why didn't you post your IP address? ;)
Score: 0
|Are you working for MS???
Score: 0
|Am I the only one who thinks he was joking? :)
Score: 0
|No problem - my IP is 127.0.0.1 ;)
Score: 0
|The paper is more about trading memory for efficency: a well used practice in other computing algorithms. Using a known problem in Microsoft's product is a rather nice way to get the media's attention. So this isn't really about revealing a flaw but revealing a new way to take advantage of a flaw.
Score: 0
|What is so hard about just changing the algorthym for the key set? Maybe some random data like PGP uses. Just a thought.
Score: 0
|oh my god! there is a security problem with windows!
Score: 0
|hahahaaaa it would be the first...if windows would be safe..
and even now they said that they would focus on security in 2002/2003... duuuhhh...
Score: 0
|Why is DirectX even installed by default!!!!!
Score: 0
|Salt doesn't safe guard against everything, it simply removes the opportunity of a birthday attack. If you know the account you are trying to breach, Administrator for instance, a salt still wouldn't do you any good because you simply have to precompute the dictionary seeded with that salt. If you have access to the passwd list, you have access to the salt too.
This falls under one of those laws of security, if anyone has physical access to a machine, then there is no security. This is more FUD than anything.
Score: 0
|You know what, you have a point that its FUD from the standpoint of physical access to the machine, but lets be real. Should we not hold this crucial component of our software to a higher standard than this?
Kudos to the people who expose this weakness. And instead of blaming people and pulling our own political/philosophical ideologies into the mix, I would hope people can concentrate their efforts on encouraging, dare I say demanding more security from their products.
When I can bypass a windows XP login by just inserting a windows 2000 system recovery disk, there is something WRONG with whats going on here.
Lets hope this new secure computing initiative pays off.
Score: 0
|If one does not have a floppy or CD drive in the server, how is one going to boot anything except the HD? Cracking a hash is nothing! Who cares! Mr Hacker has to get into the system and run a 3rd party tool with administrative rights to grab the hashes and then crack them.
A good admin would disable the Administrator account and tweak the Registry to not show the Last Loged On User. So Mr Hacker has his work cut out. He still has to get past the Login Screen before ANY hash cracking can be done.
The whole hash cracking thing is moot!
Score: 0
|Lets face is Windows has never been secure, and the way Microsoft is going it probably never will be... This isn't an isolated case here this is just one of so many holes, flaws, bugs, and problems it has involving security (not to mention everything else).... Windows XP is a rip off, and any system admin running it thinking its "secure" is out of his mind.
Most admins that i know in certain cooperations run Windows 2000 SP4 based or Linux/UNIX servers. And they are better off.
The fact is Linux is what they should be running anyway, we run it at work, and i run it at home, its by far the best operating system for my needs (whether it be serving, programming, or even gaming)
Score: 0
|Your claims are completely unsubstantiated. You state no fact, just trolling.
Fact: There has only been ONE, yes that's ONE, flaw in the default install of Windows 2003.
Why use Linux when you can run BSD, a far better Unix clone?
Score: 0
|Why do you then follow it with a blatant troll comment? "Why use Linux when you can run BSD, a far better Unix clone?" Where are your facts?
Score: 0
|Check openbsd.org for your answer.
"Only one remote hole in the default install, in more than 7 years!"
Score: 0
|That's not proof, especially when I can come back with something like this: http://www.nsa.gov/selinux/
Score: 0
|Interesting, but I'm not convinced of its superiority.
". . . Security-enhanced Linux is not an attempt to correct any flaws that may currently exist in Linux. Instead, it is simply an example of how mandatory access controls that can confine the actions of any process, including a superuser process, can be added into Linux. The focus of this work has not been on system assurance or other security features such as security auditing, although these elements are also important for a secure system."
hmmmm. . . .
Score: 0
|clap clap clap, that's great thanks for your opinion. ;-)
Score: 0
|