One of the basic tenets of information security is to ensure that systems use strong passwords, namely those of
a certain length that mix letters, numbers and other special characters. One way to determine if your password is strong is to type it into a password checker, like Microsoft's Password Checker. The software giant's tool checks for sufficient length and complexity.
These more complicated passwords are considered "strong" because they take a longer time to crack than shorter, easier-to-guess passwords. But even strong passwords can be cracked in seconds using an open source tool called Ophcrack.
Ophcrack is an extremely fast password cracker because it uses a special algorithm called rainbow tables. Brute-force cracking tools typically try thousands of combinations of letters, numbers and special characters each second, but cracking a password by attempting every conceivable combination can take hours or days. Rainbow tables pre-computes the hashes used by passwords, allowing for a speedy password lookup by comparing the hashes it has, instead of computing them from scratch.
Thinking of it another way, someone else has already generated the password hashes for millions of potential passwords using the same algorithm as Windows XP and Vista. Ophcrack simply loads the megabytes of hashes it already has and compares the password hash in Windows against its giant database. When it finds a match, Ophcrack reveals the password in plain text.
For more information
Discover how a keyring works in conjuction with passphrases to keep personal messages secure.
In this Q&A, Joel Dubin unveils the best practices for protecting a router security password from compromise.
Learn best practices and tools for ensuring password compliance.
Ophcrack works on LAN Manager (LM) and NT LAN Manager (NTLM) hashes, and has rainbow tables available for cracking Windows XP and Windows Vista passwords. It comes with a slick GUI and runs on Windows, Linux/Unix, Mac OS X, or from a bootable LiveCD. Ophcrack has the ability to obtain password hashes from the Security Accounts Manager (SAM), the registry database that Windows uses to store protected user passwords.
Ophcrack is not malware and has its legitimate uses. For instance, most Windows password-recovery tools will substitute a new password in place of a lost one, but knowing the actual password may be useful in unlocking other archives found during a forensics investigation. Additionally, testing a known password against Ophcrack, and besting the rainbow tables, can help validate that the password is extremely strong.
However, one of the tools Ophcrack uses to access the SAM is pwdump, which many virus scanners will flag and quarantine as malware during installation because of its ability to create surreptitious remote connections used for spiriting out data. Ophcrack requires pwdump in order to dump the hashes in the SAM, so its association with pwdump may present some ethical hackers with an uncomfortable level of risk.
About the author
Scott Sidel is an ISSO with Lockheed Martin. For more recommendations from the author, check out Scott Sidel's Downloads.