Either choose strong passwords, or don't bother with a password at all
by Adrian Kingsley-Hughes | May 30, 2008 11:23am PDT | Image 1 of 6
Previous | Next
Ophcrack cracking Windows Vista
Just In
I suspect that passwords might be a BIOS function.Any and all passwords would be stored in the BIOS.To find a password this software would need to be installed and that's for the Administrator only.This could even be an IBM or military program.
There's no need for us to know the passwords it couldn't find. Obviously, they were strong enough to resist the methods used. That's all we really need to know.
There are simple rules for making strong passwords.
1. A strong password preferably has uppercase, lowercase, numbers (and optionally, if all clients support it, punctuation.) An extremely strong one will include symbols (for example: {}()[]) as well, but may not work if you're trying to connect your printer to your secured wireless network with a password.
2. A strong password does not contain any words. (though it IS possible to construct a strong password with words in it)
3. Weak passwords include those with all digits, or either digits or letters in sequence. (like, duh?) (for example: 0123456789 is a weak password, even though it's ten characters, as is "abcdefghij".)
4. More than eight characters is more than a good idea. Each additional character past eight in length makes it much more difficult to crack.
5. There are simple ways to create mnemonics for your strong password, but be consistent so you don't confuse yourself.
General no-no's on passwords:
1. Writing them down on Post-It notes that you then scatter around.
2. Giving them out.
3. Using your birth date.
4. Your spouse's name is also not a good one. Nor is your own. (but this one was proven by the article)
Need I go on? Probably not, since most IT Pros have this knowledge in their heads anyway. (but the last four points should be common sense.)
There are simple rules for making strong passwords.
1. A strong password preferably has uppercase, lowercase, numbers (and optionally, if all clients support it, punctuation.) An extremely strong one will include symbols (for example: {}()[]) as well, but may not work if you're trying to connect your printer to your secured wireless network with a password.
2. A strong password does not contain any words. (though it IS possible to construct a strong password with words in it)
3. Weak passwords include those with all digits, or either digits or letters in sequence. (like, duh?) (for example: 0123456789 is a weak password, even though it's ten characters, as is "abcdefghij".)
4. More than eight characters is more than a good idea. Each additional character past eight in length makes it much more difficult to crack.
5. There are simple ways to create mnemonics for your strong password, but be consistent so you don't confuse yourself.
General no-no's on passwords:
1. Writing them down on Post-It notes that you then scatter around.
2. Giving them out.
3. Using your birth date.
4. Your spouse's name is also not a good one. Nor is your own. (but this one was proven by the article)
Need I go on? Probably not, since most IT Pros have this knowledge in their heads anyway. (but the last four points should be common sense.)
There are limits to the passwords that it will check. Looks like the free version might not check punctuation characters, and there might be limits on the length that it checks. You can buy tables that will also check punctuation, but these definitely have length restrictions:
# XP special
These tables are generally useful on almost all Windows machines except those where LMhash has been disabled (e.g. Vista).
It contains 96% of passwords of length 1 to 14 made of the following characters:
* 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ !"#$% &'()*+,-./:;& ?@[\]^_`{|}~ (space included)
# Vista special
NT hashes need to be cracked when the weaker LM hash has been disabled. This can be done for security reasons and is the default setting for Windows Vista.
It contains 99% of passwords of made of following characters:
* length 1 to 6: 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$% &'()*+,-./:;&?@[\]^_`{|}~ (space included)
* length 7: 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
* length 8: 0123456789abcdefghijklmnopqrstuvwxyz
# XP special
These tables are generally useful on almost all Windows machines except those where LMhash has been disabled (e.g. Vista).
It contains 96% of passwords of length 1 to 14 made of the following characters:
* 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ !"#$% &'()*+,-./:;& ?@[\]^_`{|}~ (space included)
# Vista special
NT hashes need to be cracked when the weaker LM hash has been disabled. This can be done for security reasons and is the default setting for Windows Vista.
It contains 99% of passwords of made of following characters:
* length 1 to 6: 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$% &'()*+,-./:;&?@[\]^_`{|}~ (space included)
* length 7: 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
* length 8: 0123456789abcdefghijklmnopqrstuvwxyz
Personally I don't use passwords or a firewall or anti-virus software on my internet machine. There is nothing to be be had on this computer. As far as email, I dont keep anything there either. I also never use my real name or any real information on my email accounts. So if it gets hacked, no big deal to me. Been through that a time or two. If my machine gets trashed from a bug I just reload it, been through that as well.
Strangely enough trying to d/l ophcrack from sourceforge.net makes avast ring its alarms..anyone knows if this a false positive or what??
Either create a password by your own or go to aafter.com and ask for a stronger password by typing password: in the AAfter's search box and then press enter.
Join the conversation!
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Vendor Showcase
