Last week, Swiss security researchers
announced that they'd found a way to crack alphanumeric passwords stored on Microsoft Windows computers in a mere 13 seconds, down from the previous average of 101 seconds.
This is significant because it means that ordinary desktop computers can now crack passwords once thought invincible. The news is also important because it puts all Windows users at greater risk of having their passwords cracked and their systems broken into. Unfortunately, unless Microsoft changes the way Windows handles passwords, there's no easy way to protect yourself.
How Windows stores passwords
To understand what the researchers accomplished, you need to understand the basics of how passwords work. Once you type your password into your computer, it's run through an algorithm that generates a value called a
hash. Those algorithms are designed so that no two passwords will result in the same hash. Once created, hash values are encrypted and stored on your hard drive. Only if you type your exact password will it match the hash value and give you access to your system.
Swedish researchers found a faster way to conduct brute-force attacks.
|  |
|
Malicious users can try to ascertain your password from this hash value using something known as a
brute-force attack. This basically means trying every possible combination of hash values until they come upon your exact password. The greater the processing power of a computer, the more quickly it can get a match.
What the Swiss researchers found is a faster way to conduct brute-force attacks. In doing so, they made it possible for even slower systems to crack a password in a reasonable amount of time.
The current method of cracking, which the Swiss improved upon, requires the identification of distinguishing points within encrypted hashes, such as a block of zeros. Instead of looking for those points, then guessing the hash, the Swiss researchers use preexisting hash tables, which in this case can be up to 1.4GB in size, to crack the Windows passwords.
Unix, Linux, and Mac OS X have stronger passwords
With a computer that has more memory, and thus the ability to generate larger data tables, the team suggests they could also use their method to crack Unix, Linux, and Mac OS X passwords. Such a feat, however, would take more time than with Windows passwords.
Why? Because Unix, Linux, and Mac OS X all use a 12-bit random variable called "salt" in their password schemes. It takes longer to crack a hash value with salt added, because that 12-bit variable generates 4,096 more variations to guess. Windows passwords, however, don't have such a random variable. Why Microsoft didn't include one in the password scheme for the latest versions of Windows is a mystery.
|
Even long passwords can be cracked.
| |
|
The fact that Windows passwords can be cracked more quickly than before will directly affect anyone who uses a Windows system. Take, for instance, the common security practice of changing your password every 30 days. That may have made sense when it took malicious users more than a minute to crack a password.
But given that it now takes only 13 seconds on average, it may be wiser to change your password something like every four days. If you thought keeping track of your passwords was hard before, think of what it will be like now.
Change your passwords often
What can be done? At work, if your company uses Windows 2000 or XP, your system administrators can disable Microsoft's legacy password scheme, called LANman, by following the instructions in this
Microsoft Knowledge Base article. Because this process involves tampering with the system Registry, I wouldn't recommend that the average home user try it. Disabling the LANman won't solve the problem entirely, but it will allow you to make your passwords harder to crack by using the Alt key in passwords and by increasing their length.
Still, even long passwords can be cracked. What would really help is for Microsoft to add salt to Windows passwords so that they're harder to guess. Other OS makers have already done this. Given that it's been quite some time since Microsoft pledged to make its software and services more secure via its Trustworthy Computing initiative, I'd say this is the least we can ask of the company. Wouldn't you?
What do you think of Microsoft's security practices? Will you change your behavior now that you know how easily Windows passwords can be cracked? Why or why not? TalkBack to me.
