This is from Woody's Windows Watch newsletter:
Fast Cracking Windows XP Passwords
No doubt you've read about the researchers who found a way to crack Windows
passwords at a breathtaking rate.
CNET's Robert Lemos ran the original story last week. I've seen the results
mangled by the press in several places, so permit me to recap. Philippe
Oechslin at the Ecole Polytechnique Federale de Lausanne refined a very fast
method for cracking certain kinds of alphanumeric passwords. His method
works by using two CD's worth of data to help speed up the cracking
calculations: by using what amount to pre-digested calculations, his new
method runs rings around earlier crackers.
Windows passwords are particularly vulnerable to this pre-digesting trick
because Windows always encodes passwords the same way, on any PC. That isn't
news to anyone who understands the details of Windows'password encryption
technique, but it permitted Dr. Oechslin to come up with a whole bunch of
pre-digested (portions of) passwords that will work on any PC. Worth noting:
Linux "salts" each password, so the encoding comes up different on different
machines. That makes it impossible to come up with this kind of pre-digested
list.
Luca Wullschleger and Claude Hochreutiner, also at EPFL, wrote a program and
a Web interface http://lasecpc13.epfl.ch/ntcrack/ to show just how well Dr.
Oechslin's method works. As we went to press, the demo program cracked about
half of the passwords that people fed into it. On average, it took 7.7
seconds to crack each one. (My 12-character test password was cracked in
less than three seconds.) The demo was so popular that Luca and Claude
pulled it from the Web site - 1,000,000 hits in a week.
At this moment, Dr. Oechslin's program only works with alphanumeric
passwords - if you use punctuation marks (as I strongly recommend in my
books), your chances of being cracked quickly go down significantly. For
now. But it's only a matter of time before someone comes up with a big
collection of pre-digested passwords that include punctuation marks -
assuming it hasn't been done already.
This isn't a gaping security hole in Windows. In order to reconstitute the
original password, you have to be able to get at the encrypted version of
the password, and that (generally) isn't easy - anyone who can get at the
encrypted version of the password can get at your data anyway, and they can
decrypt the data at leisure.
But it should serve as a wake-up call. Windows passwords aren't
ultra-secure. They can be broken - with ease, in some cases. You can make a
potential breaker's job considerably more difficult by putting punctuation
marks in your passwords. If you need very strong security, Windows logon
passwords just don't cut the mustard.
-kw