A Swiss researcher has developed a technique that can break a Windows password in a matter of seconds. Standard approaches used by hackers can take several hours.
Philippe Oechslin, a lecturer and senior researcher at EPFL, the Swiss Federal Institute of Technology, used a technique known as advanced time memory trade-off to crack Windows passwords. The technique relies on the fact that the seed data used to encrypt all passwords on a Windows server is not random. As a result of this, Oechslin claimed he was able to build a table of passwords in advance.
On a typical network users' passwords are checked on a single password table stored on a Windows server. The password file is normally only available to system administrators. But if a hacker can gain access to the server and crack the password table they can gain access to all the information on the network.
As it would take terabytes of storage to generate all possible passwords, Oechslin has found a way to reduce the storage overhead. As a result, he said, he was able to crack a Windows password table in five seconds using a PC configured with a 2.5 Gigahertz- Athlon processor and 1.5 gigabytes of memory.
Security experts have been astonished by the speed of the password technique used by Oechslin. DK Matai, executive director at security consultancy mi2g said, "I'm impressed by the timescales. This is testimony to the processing power available today: hackers no longer need to rely on millions of pounds of computer power to crack encrypted passwords."
Richard Brain, technical director at independent security specialist Procheckup, said, "This is much faster than L0pht, the popular password cracking program used by hackers, which would take from a couple of hours to a couple of days to break a password file. It is about time Microsoft started to employ experts in crypto-analysis."
While access to the password file is only available to users who have system administration privileges on Windows, Brain said that a hacker could use a known exploit to break into an unpatched Windows server to gain system-wide access.
Once access to the server had been achieved, Brain said, "The hacker could then run the Windows rdisk utility remotely to create an up-to-date copy of the password file. It would then be possible to use Oechslin's password cracking technique to discover all the system passwords for the server.”