Windows Password Flaw Revealed
In the snap of a finger, or a blink of an eye, your Windows password could be cracked. Swiss researchers have published a paper citing a weakness in Windows encryption allowing passwords to be revealed in an average of 13.6 seconds.
Most security experts recommend alphanumeric passwords for enhanced security. Despite even having following this precaution, users of Microsoft Windows are at risk due to the security designs of the operating system.
Alternatives such as Unix, Linux/GNU, and Macs have utilized a well-known component dubbed “salt” as their password hashes for years – these containing up to 4,096 values. Windows does not, instead relying on aging 7-bit LANMan and more recent NTHASHmaking hashes – making a brute force attack’s look-up time less of a chore.
Resurrecting a decades old year old computer science theorem, Philippe Oechslin, a fellow of the Cryptography and Security Laboratory of the Swiss Federal Institute of Technology in Lausanne (EPFL) dreamed up pre-calculated lookup tables to assist in breaking passwords encoded with Windows.
As a result of these tables, fewer calculations need to be performed by an attacker’s machine. Termed “time-memory trade-off”, the more memory attacker posses; the faster the attack.
The following text is cited from the paper:
"As an example we have implemented an attack on Windows password hashes. Using 1.4 GB of data we can crack 99.9 percent of all alphanumerical passwords hashes in 13.6 seconds, whereas it takes 101 seconds with the current approach using distinguished points."
An AMD Athlon XP 2500+ processor with 1.5 GB of RAM executed the test.
The researchers were so sure of their findings that they crafted a Webpage to publicly demonstrate the flaw. After receiving a queued request, the site eventually lists the corresponding email, hash and password. Although each user is permitted to crack only one password, the queue had to be toned down due to overwhelming demand.
Administrative access and special applications are needed to pull up the password in its raw form, making the site something less of a public spectacle. However, it has made the folks a Redmond a bit flushed.
Oechslin did not feel the need to contact the software giant with his findings since it is well known that Microsoft does not use “salt”. Microsoft was not reached for comment, and prefers to work in cohesion with third parties in the event of any security breach.
In the meantime, users can add symbols into their password mix.