back to article L0phtCrack's back! Crack hack app whacks Windows 10 trash hashes

Ancient famed Windows cracker L0phtCrack has been updated after seven years, with the release of the "fully revamped" version seven. The password cracker was first released 19 years ago gaining much popularity in hacker circles and leading Microsoft to change the way it handled password security at the time. No new versions …

  1. Anonymous Coward
    Anonymous Coward

    Did anyone else read "NSA recommended"...

    ... I can't help but think of them as the bad guys.

    I always knew stuff would be monitored, this isn't surprising but the scale was far FAR beyond my expectations and some of the levels they went to...

    1. Anonymous Coward
      Anonymous Coward

      Re: Did anyone else read "NSA recommended"...

      Same AC here (promise, totally should have included like a hash of a phrase in my earlier post)

      Not saying "DON'T TRUST SHA512" and co, they're known, old, good, so forth, what I meant was if the NSA was like "use this software" I'd be dubious.

      I bet you those failed fighter jets that need regular rebooting will be Cloud powered BTW. Different TLA I know.

    2. Mark 85 Silver badge

      Re: Did anyone else read "NSA recommended"...

      But FBI Director Comey likes this stuff... passwords easily broken is a step forward in his vision. Oh wait.. he doesn't believe the NSA either.

    3. Grifter

      Re: Did anyone else read "NSA recommended"...

      >> them as the bad guys.

      But see that's the beauty of their statement, they know you'd be suspicious of anything they champion, so in order to try to get people not to use sha512, they'll say do use it. This inception goes many levels deep. I bought tinfoil cheap in bulk, everyone's welcome to a hat!

      1. Geoffrey W Silver badge

        Re: Did anyone else read "NSA recommended"...

        RE "I bought tinfoil cheap in bulk, everyone's welcome to a hat!"

        Yes please! I cant get mine to work properly and the voices just get amplified. Send it to :-

        Me,

        The little shack in the woods,

        Raccoon Hollow,

        On a mountain,

        20 Minutes into the future,

        USA

        Ta!

        1. Destroy All Monsters Silver badge

          Re: Did anyone else read "NSA recommended"...

          If I deliver there, will I be menaced by glorious AKM?

          1. Geoffrey W Silver badge

            Re: Did anyone else read "NSA recommended"...

            RE: "If I deliver there, will I be menaced by glorious AKM?"

            I'm British, I don't do AKM, glorious or otherwise. I chase people away by droning on and on about the weather and seeing if they can outrun my pet whippet (I AM a Northerner) before it licks them to death, and before my ferret runs up their trouser leg.

        2. Sir Runcible Spoon Silver badge

          Re: Did anyone else read "NSA recommended"...

          "20 Minutes into the future"

          You are Eddison Carter and I claim my £5

      2. Sparks_

        Re: Did anyone else read "NSA recommended"...

        NSA gaming the tinfoil market too?

    4. yossarianuk

      Re: Did anyone else read "NSA recommended"...

      They are in many ways (along with GHCQ).

      However don't forget they use Linux themselves along with SELINUX

    5. Anonymous Coward
      Anonymous Coward

      Re: Did anyone else read "NSA recommended"...

      "Microsoft, which still relies on NTLM password hashing."

      No it doesn't. NTLM is considered obsolete and current Windows operating systems use the stronger NTLMv2 or Kerberos authentication methods. L0phtcrack works on UNIX passwords too....

      .

      1. Joe Montana

        Re: Did anyone else read "NSA recommended"...

        NTLMv1 is no longer used as a network authentication scheme, but the underlying passwords are still stored using the NTLM hashing scheme.

        Two different (although related) things.

        The reason microsoft can't change the hashing scheme as easily as Linux can is because the network authentication protocols are tied to the hashing method, so you would need to update all the clients too.

        1. Anonymous Coward
          Anonymous Coward

          Re: Did anyone else read "NSA recommended"...

          "but the underlying passwords are still stored using the NTLM hashing scheme."

          Ever since Windows 2008 onwards when you install a new domain, the "NoLMHash policy" is set by default which disables the storing of the NTLM hash...

  2. Youngone Silver badge
    Pint

    Nope

    The last time I needed to recover a forgotten Windows password I used Ophcrack, which cost me nothing.

    Boot from the disc, tell it to find the password, and I don't remember it taking hours either.

    Ophcrack doesn't do password audits however, so there's that.

    1. MonkeyCee Silver badge

      Re: Nope

      Another trick for a stand alone windows 7 box is booting off a live linux USB, and do the following:

      - pick an input utility to bugger with. In this case, the on screen keyboard

      - rename that utility (osk.exe to osk.old)

      - rename cmd.exe to osk.exe

      - reboot into windows

      Now you can call the osk from the login screen, which will in fact run cmd.exe with full admin rights.

      Then resetting the password is a simple command: net user *username* *newpassword*

      1. herman Silver badge

        Re: Nope

        If the HD is not encrypted. Otherwise you got to recover that password first, which may take you a whole lot longer.

      2. Wade Burchette

        Re: Nope

        For those without a touchscreen, utilman.exe is another choice. This is the file for accessibility options. I like to use the command net user username * because the * prompts for a new password.

      3. Jonathan Richards 1
        Pirate

        Re: Nope

        > booting off a live linux {CD, USB}

        All BIOSes allow one to define allowable boot devices, and I haven't seen one for decades that doesn't have a degree of password protection for the BIOS setup [1]. If you care enough, you can forbid the possibility of booting from a CD.

        Having said that, I used regularly to use a live CD on a secure network for which I had *my own* Windows credentials: the tools available were just so much more powerful than the ones I could get installed for Windows.

        [1] The BIOS password will also be crackable, of course. Mantra: "If the geezer in the Black Hat has unfettered access to the physical device, you're screwed."

      4. Pompous Git Silver badge
        Pint

        Re: Nope

        MonkeyCee and Chigaimasmaro, your blood's worth bottling!

    2. Chigaimasmaro

      Re: Nope

      This is a similar method as stated above, but just involves 5 taps of the shift key to invoke an admin command prompt.

      http://www.howtogeek.com/96630/how-to-reset-your-forgotten-windows-password-the-easy-way/

  3. Anonymous Coward
    Anonymous Coward

    Microsoft says...

    But Office 365 insists on, a combination of at least three of upper case, lower case, numbers or punctuation. Of at least 8 characters which is something I suppose :-)

    1. Jack of Shadows Silver badge
      Thumb Down

      Re: Microsoft says...

      My least secure password is the one Bank of America mandates which is much less than that.

    2. bombastic bob Silver badge
      Trollface

      Re: Microsoft says...

      would the obligatory reference to 'correct horse battery staple' be of any help?

      1. Doctor Syntax Silver badge

        Re: Microsoft says...

        "would the obligatory reference ... help?"

        No.

  4. Olius

    Good password selection

    I'm curious to know if I'm the only person who recommends people use memorable songs to generate passwords - either by taking the first character of each word in a line from the song to generate a seemingly random but very memorable password, or better (if the system in question allows) by using a whole line/lyric as a very long passphrase ?

    1. Destroy All Monsters Silver badge

      Re: Good password selection

      No, this is likely to be caught by extensive dictionary tries.

      Use shocking nonsense instead:

      passphrase-faq.html

      but:

      passphrases-only-marginally-more-secure-than-passwords-because-of-poor-choices

      And also:

      how-linkedins-password-sloppiness-hurts-us-all

      where a commenter says:

      Now the fine prints:

      Use a different randomly generated password for each service.

      Use a password manager for most of your password.

      For the handful of important services (banking, main e-mail...) use:

      -> unique passwords

      -> use systems with limited number of trials (timers and so on)

      -> use multifactor authentification

      1. Olius

        Re: Good password selection

        Hmm, very interesting - thanks for the links! :-)

      2. James O'Shea Silver badge

        Re: Good password selection

        Pah. just pick a good phrase. And use an uncommon language. Hmmm...

        'Give me ramming speed'. In Latin. With a deliberate misspelling or two. Give that dictionary a nice workout. Especially as it won't have entries for the misspelled words.

    2. thondwe

      Re: Good password selection

      Trouble with many publicly stated algorithms for generating passwords, is that...

      a) Hackers will know these and be able to generate them - add a bit of social engineering - e.g. facebook + favorited bands + "I use song lyrics...", who's family/friends copy the idea...

      b) More people use the same method to generate the same passwords which then end up in the hackers database from a breach...

      OK some of these ideas can generate large numbers of variants, but you need to keep the method secret - so your per service password is unique to you AND the service.

      I'm not saying I use Latin phases from Aeneid

      1. Pompous Git Silver badge

        Re: Good password selection

        Presumably because you use Publius Porcius Poeta's , Pugna Porcorum.

    3. bpfh Bronze badge

      Re: Good password selection

      Yep. One whole verse of a certain pub singer's song to open my password manager. All are randomly generated 20+ alphanumerical character passwords except for the social security web access that is limited to 10 numbers :(

  5. Chris Miller

    Can we look forward to a revamped version of BackOrifice?

    1. Anonymous Coward Silver badge
      Mushroom

      I'm going for a curry tonight, so mine will probably be revamped in the morning...

      1. Sir Runcible Spoon Silver badge
        Joke

        "I'm going for a curry tonight, so mine will probably be revamped in the morning"

        Let me guess - omfgmaiof!!

      2. ZSn

        Cold toilet paper

        Nothing like leaving a roll of toilet paper in the fridge to make it nice and soothing for the next morning.

        1. JammyGit

          Re: Cold toilet paper

          Baby wipes are very soothing after a vindaloo

      3. GitMeMyShootinIrons

        It burns, burns, burns...

        Token Ring of fire.

  6. Area52

    Pronounceable Passwords

    "Microsoft and Google boffins reckon passwords should be pronounceable, rather than set to the typical recommended jumble of numbers, special characters, and letters, which are difficult for users to recall."

    Another option is Orthographic Passwords

    https://nousrandom.net/passwordmaker/orthgraphicpasswords.html

    or password creators that uses a most all words, not just a few thousand words like some sites use.

    https://nousrandom.net/passwordmaker/wordpasswords.html

    1. alain williams Silver badge

      Re: Pronounceable Passwords

      These might generate good passwords, but should you use them: No.

      A password is something that should only be known to you; someone telling you a password means that that someone knows your password. If I were NSA/GCHQ/BlackHatCracker I would create a web site like this and wait until someone who I wanted to infiltrate used it ...

      If the source were available and I could download and run it (privately) on my own machine, I might use it.

      1. Area52

        Re: Pronounceable Passwords

        The site is still in beta testing. The plan is to have a set of client side utilities that can be used on your own system.

  7. Duncan Macdonald Silver badge

    Car reg + serial number

    In the UK at least the combination of a neighbours car number and the model number on a bit of equipment is likely to be secure and yet still easy to use.

    An example (not one that I use!!!)

    S357HGKAOA110Ab where S357HGK is a car registration number and AOA110Ab is the model number of a netbook.

    (The car reg number above is a made up number - I do not know if it is still in use.)

    1. monty75

      Re: Car reg + serial number

      "That's amazing. I've got the same combination on my luggage."

  8. chuckufarley
    Coat

    On my notebook...

    ...which runs LinuxMint 18 I set up session based two factor authentication with Google Authenticator. It was very simple: just install GA and edit two files in /etc/pam.d and then scan the QR code with my phone. I even use it on my home server as part of my SSH authentication. In fact I use 2FA on every website and online service that supports it. Which is not nearly enough.

    I can't help but wonder why there are not more FOSS 2FA solutions for windows and the Internet as a whole. It would solve a lot of problems. So many that El Reg might have a significant drop in stories about security breaches.

  9. Joe Harrison Silver badge

    It said I needed to have eight characters for my password

    So I chose Snow White and the seven dwarves

  10. Real Ale is Best
    Joke

    It won't be long before L0phtcrack will be faster than Windows' own password authentication code...

  11. JammyGit

    I'm now running L0phtCrack on my PC and see if it can crack my 13 digit password with caps, numbers and punctuation

  12. JammyGit

    Errm, just a thought, how are Windows 10 PINs stored? A 4 digit PIN will have no chance against a brute force.

    1. TheVogon Silver badge

      "A 4 digit PIN will have no chance against a brute force."

      The 4 digit PIN only protects the basic local PC login - not your online account Microsoft account, etc.

      The idea being that a basic password protection level, but only giving minimal access is better than slightly better password protection level, but giving you the keys to the kingdom...

  13. Jonathan 27 Bronze badge

    SHA-512 isn't really a good option to move to either. Yes, it's a bit more complex than NTLM, but it's not anywhere near as time consuming as the algorithms designed for passwords like PBKDF2 (you can use SHA-512 as the cipher if you like) or scrypt.

    1. Joe Montana

      Linux doesn't use SHA512 directly, it uses a salted hashing algorithm which is based on SHA512...

      http://man7.org/linux/man-pages/man3/crypt.3.html

      See under "glibc notes"

      1. Jonathan 27 Bronze badge

        What did I say about Linux? But since you brought it up, I might as well pick apart that man page. Salting is industry standard practice, if it wasn't salting the password it would be an issue. You don't get extra points for doing things that are standard practice, you lose them for not doing them.

        So, to follow that up. SHA512 is better than NTLM, but if Microsoft is going to change to a new hash, they should go for best in class and not just the trailing edge of what's considered passable today.

  14. Juan Inamillion

    Yep, vehicle reg works for me too

    Especially from vehicles (not just cars) that I no longer own. Plus, I can remember my dad's registration on car he used to have until about 1960.. (I have a weird memory sometimes).

    Using two together and occasionally swapping them round is good.

    1. Pompous Git Silver badge

      Re: Yep, vehicle reg works for me too

      Plus, I can remember my dad's registration on car he used to have until about 1960.

      We had a Morris Minor van back then... YRW379.

    2. Wensleydale Cheese Silver badge

      Re: Yep, vehicle reg works for me too

      "I can remember my dad's registration on car he used to have until about 1960"

      I can remember that and those of the next two.

      Beware someone digitising old family photos and putting them online. Details of more recent vehicles may be lurking in insurance or similar databases.

  15. J J Carter Silver badge
    Childcatcher

    Get with the times!

    I use a biometric, but getting out your wing-wang to place over the sensor can cause raised eyebrows.

    1. Pompous Git Silver badge
      Paris Hilton

      Re: Get with the times!

      getting out your wing-wang to place over the sensor can cause raised eyebrows.

      No doubt some arousal involved in this for you J J.

  16. Anonymous Coward
    Anonymous Coward

    Has the image at the top been shamelessy misappropriated from an episode of Zero Punctuation? Didn't realise El Reg had such good taste.

  17. JeffyPoooh Silver badge
    Pint

    Please pass the self-salt...

    What if the input script accepted the new password (PW$), and then created a salted repeated-password string like this:

    SaltedPW$ = Salt0$ + PW$ + Salt1$ + PW$ + Salt2$ + PW$ + Salt3$ + PW$ + Salt4$

    Then send that away for hashing and storage.

    The human user only needs to remember their wee little PW$.

    Signing In uses the same concatenation technique, before the hash comparison.

    But the Crackers with the stolen hash file need to de-hash these SaltedPW$ monsters. Yeah, good luck.

    I hope that this helps.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019