L0phtCrack 7 Shows Windows Passwords Easier to Crack Now Than 20 Years Ago

[Batu69]

Time waits for no man, and neither does L0phtCrack. Nearly 20 years after the first version of the password auditing and cracking tool was released, L0phtCrack 7, released Tuesday, shows that Windows passwords are even easier to crack now than they were in 1997.

 

L0phtCrack was the first password auditing tool released for Windows and its availability had a concrete effect on the way that Microsoft handled passwords. After its released, Microsoft abandoned the hash algorithm it had been using, known as LANMAN, and changed to NTLM instead. When L0phtCrack hit the streets in 1997, it could crack an eight-character Windows password in about 24 hours on a typical commodity PC available at the time.

 

Hardware advances and improvements in the cracking engine have made a huge dent in the time needed to recover that same eight-character alphanumeric password now.

 

“On a 2016 gaming machine, at less hardware cost, L0phtCrack 7 can crack the same passwords stored on the latest Windows 10 in 2 hours. Windows passwords have become much less secure over time and are now much more easily cracked than in the era of Windows NT. Other OSes, such as Linux, offer much more secure password hashing, including the NSA recommended SHA-512,” the L0pht said in a post announcing the new release of L0phtCrack 7.

Windows passwords have become much less secure over time.

The password hashing algorithm that Microsoft uses, MD4, is more than 25 years old and is considered insecure. Collisions of MD4 hashes have been demonstrated many times over the years, and was formally retired by the IETF five years ago. Chris Wysopal, one of the founding members of the L0pht hacking collective and CTO of Veracode, said Microsoft should change the hashes it uses in Windows and offer multiple options.

 

“Microsoft should do what Unix has done and offered multiple stronger hashing algorithms such as bcrypt. That alone would make Windows passwords 3 million times harder to crack than the MD4 algorithm they use,” Wysopal said.

 

“Microsoft could also make shorter passwords invalid. I would recommend 15 character passwords as a minimum if they want to stay with the MD4 algorithm. But I don’t expect this to change. They want administrators to set their own password policies. Many administrators think 8 characters requiring upper and lower case with numerics and a symbol is safe. L0phtCrack can easily demonstrate that is not true.”

 

Password cracking is done for both offensive and defensive purposes. Administrators can use tools such as L0phtCrack to audit the passwords that their users create, checking their strength and complexity. Attackers, meanwhile, often collect dumps of hashed passwords from data breaches and other compromises and crack them, knowing that people often reuse passwords on multiple sites. With the power of modern processors and tools such as L0phtCrack, password strength is perhaps more important than ever.

 

But the overall picture hasn’t changed much since 1997.

“Things haven’t improved due to backwards compatibility. Windows AD is relied on by so many systems now. Microsoft slowly deprecated the older LANMAN hash between 1997 Windows NT and Vista. Now it is completely gone but the current MD4 hash is actually weaker today then LANMAN was back when we were inspired to create L0phtCrack,” Wysopal said.

 

Article source

[Holmes]

Its not that bcrypt is stronger decrypting it is done slowly which makes it stronger (takes additional time to crack).

[vissha]

L0phtCrack's Back! Crack Hack App Whacks Windows 10 Trash Hashes

 

 

PC Master Race rig? Get ready to crack passwords FIVE HUNDRED times faster!

 

Ancient famed Windows cracker L0phtCrack has been updated after seven years, with the release of the "fully revamped" version seven.

 

The password cracker was first released 19 years ago gaining much popularity in hacker circles and leading Microsoft to change the way handled password security at the time.

 

No new versions have been released since version six in March 2009, launched at the Source Boston conference.

 

The latest iteration sports a revamped cracking engine designed to exploit modern multi-core CPUs and GPUs, blitzing the previous version's time to crack on four-core CPUs by a factor of five.

 

Users with expensive GPUs like the AMD Radeon Pro Duo will gain speed increase a whopping 500 times faster than the previous version.

 

The increase in speed was not matched by Microsoft, which still relies on NTLM password hashing.

 

So outgunned is Microsoft that cracking is easier now than it was nearly two decades ago, when L0phtCrack first landed, according to founding former L0phtCrack team members Christien Rioux, Chris Wysopal, and Peiter Mudge Zatko who run L0pht Holdings.

 

"[L0phtCrack's] password cracking capability forced Microsoft to make improvements to the way Windows stored password hashes," L0pht Holdings says.

 

"Microsoft eventually deprecated the weak LANMAN password hash and switched to the stronger NTLM password hash it still uses today … yet hardware and password cracking algorithms have improved greatly in the intervening years.

 

"The new release of L0phtCrack 7 demonstrates that current Windows passwords are easier to crack today than they were 18 years ago when Microsoft started making much needed password strength improvements."

 

A 1998 Pentium II 400 MHz CPU computer running version one of L0phtCrack would take a day to crack an eight-character long alphanumeric Windows NT password.

 

Today L0phtCrack 7 could do the job on a gaming machine much cheaper busting a Windows 10 password in about two hours.

 

"Windows passwords have become much less secure over time and are now much more easily cracked than in the era of Windows NT," the hacker outfit says.

 

"Other OSes, such as Linux, offer much more secure password hashing, including the NSA recommended SHA-512."

 

The group point to a study which found shoddy domain user passwords were the way in for most penetration testers, most of the time.

 

To that end L0phtCrack 7 is pitched as a means for admins and testers to audit Windows domain passwords to quickly find weak passwords in a few hours.

 

The revamped app also sports a shiny GUI and auditing wizard, plus scheduling, and reporting.

 

It works with all versions of Windows and supports new types of UNIX password hashes, and will work with other password importers and crackers using a plug in feature.

 

There is not yet a consensus on password selection best practice.

 

Microsoft and Google boffins reckon passwords should be pronouceable, rather than set to the typical recommended jumble of numbers, special characters, and letters, which are difficult for users to recall.

 

Britain's GCHQ spy agency reckons admins ought to stop punishing users with regular password resets which studies show leads to weaker combinations being set over time.

 

Password strength meters are junk, Compound Eye developer mark stockley says, since it does not help against predictable and cliche logins that can be easily guessed.

 

Last month Docker's security lead Diogo Mónica (@diogomonica) rubbished popular password choice and complexity debate saying password managers should be used to generate to set unique jumbled credentials for all sites.

 

Source

[Batu69]

Topic has been merged.