==== 1. News and Views ==== by Paul Thurrott, [EMAIL PROTECTED] Researchers Crack Windows Passwords in Seconds
Swiss researchers have developed a password-cracking scheme, based on a method first developed in 1980, that lets them crack most Windows passwords in about 13 seconds (the original method takes more than a minute and a half longer). The scheme enforces a growing concern in the security community that the way in which Microsoft encodes passwords in Windows is inherently weak, opening the door for cracking programs to use brute-force methods to test and break passwords. Philippe Oechslin, one of the Swiss researchers, recently published an online paper, "Making a Faster Cryptanalytic Time-Memory Trade-Off," which highlights the new password-cracking scheme. Oechslin will present the paper in August at Crypto 2003, an international cryptology conference held this year at the University of California, Santa Barbara and organized by the International Association for Cryptologic Research (IACR) in cooperation with the IEEE Computer Society Technical Committee on Security and Privacy. "As an example, we have implemented an attack on MS-Windows password hashes," the researchers write. "Using 1.4GB of data (two CD-ROMs) we can crack 99.9 percent of all alphanumerical passwords hashes ... in 13.6 seconds whereas it takes 101 seconds with the current approach using distinguished points. We show that the gain could be even much higher depending on the parameters used." Oddly, the researchers weren't interested in cracking Windows passwords but rather were trying to demonstrate the previous theoretical cryptanalytic time-memory trade-off technique. They note that Microsoft's passwords are weak because, when encrypted, they don't include any random information. Thus, the same password on two Windows machines will always be the same when encrypted, which makes breaking the password encryption much easier than if the passwords were randomized. Although generating more secure passwords by using nonalphanumeric characters and other special characters is possible, the researchers say that even this approach won't solve the inherent problem in Windows because all they'd need is more time or a larger data set (or both) to crack those passwords as well. Instead, Microsoft will have to fix this feature to encrypt passwords with random information, the researchers say. -- Best regards, CanonBall mail to: [EMAIL PROTECTED] Encourage bacteria: it's the only culture some people have! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html