A lot of hoopla has been made over a video that was produced recently and placed on the Internet that describes how to crack Windows passwords , or more specifically, how to use L0phtcrack. (If you haven’t seen the thing, I’ve posted it here.)
WHAT IS ALL OF THIS?
L0phtcrack has its originations as an old NT password cracking tool created by a couple of hackers that discovered that by brute force attacking the Security Account Management database (aka SAM) from a Windows NT kernel-based machine, a person can crack virtually any password in the local user database with enough time and enough CPU. Early versions of the tool required that the end user have either physical access to the machine to copy the SAM database file off of it, or have security access to the SAM database over the network so that one could again copy the file, then run L0phtcrack on it on their own time on their own machine. Newer versions I believe allowed a person to monitor the network traffic going back and forth between the machine and other servers, to take advantage of weaknesses in the NTLM authentication protocol to essentially do the same thing.
IT’S NO BIG DEAL.
In a nutshell, if folks never actually get their hands on your laptop or don’t have physical access to your desktop, you don’t really have much to worry about because you’re pretty much protected. In order to do all of this, a person needs to physically boot up another operating system on your machine to copy off the SAM database file and that’s not something that they can normally do if they don’t have physical access to your workstation.
If the people you’re worried about DO have physical access to your workstation, there’s an old adage in the security industry: Don’t do that. Giving physical access to your PC to people you don’t trust is like giving them the codes to deactivate the security alarm on your home – After they’ve disabled the alarms, it’s just a matter of picking the lock on the front door. There’s really no commericially available operating systems out there that aren’t hackable through brute force techniques when people have physical access to the machine being hacked. Not Macintosh. Not Linux. Not UNIX.
For the record, the vulnerability of data on mobile PCs like laptops has not gone unnoticed by Microsoft. In the future, Windows Vista will be the first commerically available operating system to fully take advantage of next-generation security & encryption technology available on this coming generation of PCs & laptops. The technology is called the Trusted Platform Module or TPM chip, which among other things enables people to securely encrypt all data on a laptop storage medium like the hard drive. The bottom line is that even if the laptop is stolen, the data on the hard drive can’t be decrypted using simple brute force techniques.
TPM chips are only available on the latest workstations & laptops and the only Windows operating system that takes advantage of this technology is Windows Vista.
HOW TO PROTECT YOURSELF FROM PASSWORD HACKING
The net net however is that it’s relatively easy to "protect" oneself from these sort of attacks.
- DON’T LET PEOPLE GET PHYSICAL ACCESS TO YOUR MACHINE
It sounds lame but any computer physically accessible by people without specific "commerically available protective security software" and special configuration "hardening" is usually vulnerable to password cracking. Examples of this "security software" include some rather expensive packages from PointSec or for a much less expensive solution, try Windows Vista’s built-in Bitlocker Technology. Examples of "hardening techniques" include removing all removable media drives & access points like USB ports, floppy drives, serial ports, CDROM drives, etc, enabling a power on-password and a BIOS password, etc.– The easiest solution is to simply use Windows Vista Business and leverage Bitlocker Drive Encryption Technology on your PC or laptop and encrypt everything securely based on your authentication.
– If you use a desktop PC with Windows XP, keep the computer casing locked, the physical unit secured to a table (so that someone couldn’t walk off with it at night), set a power-on password and BIOS password to prevent people from "booting up from your CDROM, floppy drive, or USB port". (or simply remove the drives and ports from your machine if you don’t need them) Additionally, use Windows XP Professional’s EFS file & directory encryption to encrypt the data in your My Documents folder to protect your personal information.
– If you use a laptop PC with Windows XP, consider the same practices as a desktop user and consider implementing a 3rd party drive level encryption technology. Be aware that these products often cost $500 or more and won’t really be as necessary when Windows Vista is released and available since Windows Vista will have the technology built into it.
…and if you don’t have Windows XP Professional and have something else, you need for first upgrade before you do anything else because you’re version of Windows is either out of support or it’s going out of support, meaning no more security patches, no more stability fixes, and more more software being written for it. i.e. you’ve got bigger problems.
- USE DOMAIN ACCOUNTS & PASSWORDS
This stuff only works against user accounts that are stored locally on the machine. If you are on a corporate network with Active Directory, L0phtcrack does nothing to hack your account… because your user credential password hash doesn’t exist on the local computer, but rather it exists on a network server. - USE SYSKEY 128-BIT SAM ENCRYPTION
Syskey will encrypt the SAM database with 128-bit security making tools like L0phtcrack unusable. Basically, just read this article for the how & the why:
http://support.microsoft.com/kb/310105/en-us - USE A 14 CHARACTER PASSWORD
The usage of a 14-character password is encouraged for the most secure way of protecting your user account & good name. Without getting into the details, "14" turns out to be the precise number of characters that are necessary to ensure that you’re password is relatively hard to hack, assuming that you also… (see #4) - USE NON-ALPHANUMERIC CHARACTERS, UPPER CASE, LOWER CASE, and A NUMBER IN YOUR PASSWORD
For example "MyPa$swordIs9ood", would be an excellent example of a password that is 14 or more characters long, contains a non-alphanumeric character($), contains both upper and lower case characters("M","w"), and contains a number(9).
Kurt Shintaku's Blog 