The NT passwords you see being solved in parts are due to an interesting (meaning stupid, IMNSHO) decision made in how the passwords are delivered. Each password is padded out to 14 characters, and passed as two 7-character segments. Because of this, l0phtcrack can break each part seperately. I believe there is also information in the segments which indicate the total size of the password, but I haven't looked at NT password issues in a long time. The problem with this is, usually if you have one half of the password, you have a good idea of what to try for the other half. If you get two halves as:
ElvisPr ??????? And you know the password is 12 characters, you've got a real good shot at guessing it after having only cracked a 7 character password, don't you? In other words, those 5 extra characters didn't gain this user anything. That is why you'll hear a lot of security experts tell you to use 7 or 14 character passwords on Windows networks, and don't bother with anything else. Randy Graham -----Original Message----- From: netsec novice [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 25, 2002 6:13 PM To: [EMAIL PROTECTED] Subject: password cracking I recently began using Lopht to do password cracking on our own network in order to enforce our password standards. In watching the process, I now have questions regarding how the cracking works. I understand basic dictionary and even brute force methods. What I'm confused about is how Lopht can determine individual characters without cracking the entire password. IE. ?????9pass I should mention that this is auditing an NT system. My best analogy is a wall safe vs. a key? I would think that the only way the password could be cracked would be to input the entire string(key) and see if it opened the door. It appears though that it is treating the password as individual characters and cracking one at a time like a combination lock. Can someone help me clear my fog on this issue? Thanks in advance... _________________________________________________________________ Join the world's largest e-mail service with MSN Hotmail. http://www.hotmail.com
