L0phtCrack's back! Crack hack app whacks Windows 10 trash hashes Ancient famed Windows cracker L0phtCrack has been updated after seven years, with the release of the "fully revamped" version seven. The password cracker was first released 19 years ago gaining much popularity in hacker circles and leading Microsoft to change the way it handled password security at the time. No new versions …
Another trick for a stand alone windows 7 box is booting off a live linux USB, and do the following:
- pick an input utility to bugger with. In this case, the on screen keyboard
- rename that utility (osk.exe to osk.old)
- rename cmd.exe to osk.exe
- reboot into windows
Now you can call the osk from the login screen, which will in fact run cmd.exe with full admin rights.
Then resetting the password is a simple command: net user *username* *newpassword*
> booting off a live linux {CD, USB}
All BIOSes allow one to define allowable boot devices, and I haven't seen one for decades that doesn't have a degree of password protection for the BIOS setup [1]. If you care enough, you can forbid the possibility of booting from a CD.
Having said that, I used regularly to use a live CD on a secure network for which I had *my own* Windows credentials: the tools available were just so much more powerful than the ones I could get installed for Windows.
[1] The BIOS password will also be crackable, of course. Mantra: "If the geezer in the Black Hat has unfettered access to the physical device, you're screwed."
I'm curious to know if I'm the only person who recommends people use memorable songs to generate passwords - either by taking the first character of each word in a line from the song to generate a seemingly random but very memorable password, or better (if the system in question allows) by using a whole line/lyric as a very long passphrase ?
No, this is likely to be caught by extensive dictionary tries.
Use shocking nonsense instead:
but:
passphrases-only-marginally-more-secure-than-passwords-because-of-poor-choices
And also:
how-linkedins-password-sloppiness-hurts-us-all
where a commenter says:
Now the fine prints:
Use a different randomly generated password for each service.
Use a password manager for most of your password.
For the handful of important services (banking, main e-mail...) use:
-> unique passwords
-> use systems with limited number of trials (timers and so on)
-> use multifactor authentification
Trouble with many publicly stated algorithms for generating passwords, is that...
a) Hackers will know these and be able to generate them - add a bit of social engineering - e.g. facebook + favorited bands + "I use song lyrics...", who's family/friends copy the idea...
b) More people use the same method to generate the same passwords which then end up in the hackers database from a breach...
OK some of these ideas can generate large numbers of variants, but you need to keep the method secret - so your per service password is unique to you AND the service.
I'm not saying I use Latin phases from Aeneid
"Microsoft and Google boffins reckon passwords should be pronounceable, rather than set to the typical recommended jumble of numbers, special characters, and letters, which are difficult for users to recall."
Another option is Orthographic Passwords
https://nousrandom.net/passwordmaker/orthgraphicpasswords.html
or password creators that uses a most all words, not just a few thousand words like some sites use.
https://nousrandom.net/passwordmaker/wordpasswords.html
These might generate good passwords, but should you use them: No.
A password is something that should only be known to you; someone telling you a password means that that someone knows your password. If I were NSA/GCHQ/BlackHatCracker I would create a web site like this and wait until someone who I wanted to infiltrate used it ...
If the source were available and I could download and run it (privately) on my own machine, I might use it.
In the UK at least the combination of a neighbours car number and the model number on a bit of equipment is likely to be secure and yet still easy to use.
An example (not one that I use!!!)
S357HGKAOA110Ab where S357HGK is a car registration number and AOA110Ab is the model number of a netbook.
(The car reg number above is a made up number - I do not know if it is still in use.)
...which runs LinuxMint 18 I set up session based two factor authentication with Google Authenticator. It was very simple: just install GA and edit two files in /etc/pam.d and then scan the QR code with my phone. I even use it on my home server as part of my SSH authentication. In fact I use 2FA on every website and online service that supports it. Which is not nearly enough.
I can't help but wonder why there are not more FOSS 2FA solutions for windows and the Internet as a whole. It would solve a lot of problems. So many that El Reg might have a significant drop in stories about security breaches.
"A 4 digit PIN will have no chance against a brute force."
The 4 digit PIN only protects the basic local PC login - not your online account Microsoft account, etc.
The idea being that a basic password protection level, but only giving minimal access is better than slightly better password protection level, but giving you the keys to the kingdom...
What did I say about Linux? But since you brought it up, I might as well pick apart that man page. Salting is industry standard practice, if it wasn't salting the password it would be an issue. You don't get extra points for doing things that are standard practice, you lose them for not doing them.
So, to follow that up. SHA512 is better than NTLM, but if Microsoft is going to change to a new hash, they should go for best in class and not just the trailing edge of what's considered passable today.
"I can remember my dad's registration on car he used to have until about 1960"
I can remember that and those of the next two.
Beware someone digitising old family photos and putting them online. Details of more recent vehicles may be lurking in insurance or similar databases.
What if the input script accepted the new password (PW$), and then created a salted repeated-password string like this:
SaltedPW$ = Salt0$ + PW$ + Salt1$ + PW$ + Salt2$ + PW$ + Salt3$ + PW$ + Salt4$
Then send that away for hashing and storage.
The human user only needs to remember their wee little PW$.
Signing In uses the same concatenation technique, before the hash comparison.
But the Crackers with the stolen hash file need to de-hash these SaltedPW$ monsters. Yeah, good luck.
I hope that this helps.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
