by , 11:00 AM EDT, July 23rd, 2003
Those of you with servers and desktops running one of Microsoft's operating systems might not want to read this next bit of news: C|Net is reporting that Swiss researchers have found a way to crack Windows passwords quickly, and with little more than an off the shelf PC with lots of memory. The technique, called time-memory trade-off, can discover a Windows password in as little as 14 seconds, whereas other methods can talk ten times as long. From the article Cracking Windows Passwords in Seconds:
The results highlight a fact about which many security researchers have worried: Microsoft's manner for encoding passwords has certain weaknesses that make such techniques particularly effective, Philippe Oechslin, a senior research assistant and lecturer at the Cryptography and Security Laboratory of the Swiss Federal Institute of Technology in Lausanne (EPFL), wrote in an e-mail to CNET News.com.
"Windows passwords are not very good," he wrote. "The problem with Windows passwords is that they do not include any random information."
Oechslin outlined a way to take advantage of that lack of randomness on Tuesday when he published a paper and a Web demonstration of the technique . The research builds on previous work showing that encryption algorithms can be sped up with the help of large lookup tables. Increasing the size of the lookup tables reduces the amount of time, on average, that it takes to search for a password.
The researcher used a 1.4GB lookup table and a single computer with an AMD 2500+ processor and 1.5GB RAM to offer people a way to test the process online .
The article goes on to explain that the method of password encryption used on Microsoft OSes are far inferior to that used in *IXes, including OS X. From the article:
Microsoft has used two encoding schemes, also known as hashing functions, to encrypt passwords. The first, known as LANManager or LANMan, was used by Windows 3.1, 95, 98, Me and early NT systems to secure passwords that were used to connect to early Windows networks.
The LANMan scheme has several weaknesses, including converting all characters to uppercase, splitting passwords into 7-byte chunks, and not using an additional random element known as "salt." While the more recent NTHash fixes the first two weaknesses, it still does not use a random number to make the hashes more unique.
The result: The same password encoded on two Windows machines will always be the same. That means that a password cracker can create a large lookup table and break passwords on any Windows computer. Unix, Linux and the Mac OS X, however, add a 12-bit salt to the calculation, making any brute force attempt to break the encryption take 4,096 times longer or require 4,096 times more memory.
There is much more information in the full article at C|Net.
This news should make those folks at the Department of Homeland Security lose a lot of sleep; they just signed a $90 million contract that will put Windows in every server and desktop in the governmental office that is suppose to make us feel secure.
Didn't we also just read somewhere that the US Navy has Microsoft Windows at the core of the systems that control one of the Navy's most powerful warships and will have Microsoft involved in the creation of its next generation of warships?
We won't even mention the Big Redmond glitch that left a Navy ship about as useful as a several hundred million dollar bucket. OK, maybe we will mention it.
We feel more secure already.
It's not that we're bad mouthing Microsoft because it has these security problems; we believe that every OS has some sort of problem with security. It's just that this was a known problem and Big Redmond did nothing about it, and this after Bill Gates looked the American public in the eyes, like any politician would, and stated that Microsoft was committed to its Trustworthy Computing Initiative, that its software would be more secure.
(OK, maybe not directly in the eyes, it was a memo to Microsoft employees. We suppose that many of them didn't get that memo. Was Outlook to blame?)
We have to believe the city of Munich, Germany is on the right track for refusing to sign a deal with the Gates Gang, opting for a higher cost Linux-based solution.
On the other hand, passwords on any system, including those running a version of the Big Redmond OS, are the weakest link in any IT security plan. People view passwords as if they are a bother. They try to minimize dealing with the maintenance of passwords in many very creative ways; they write down and hide them, make them words that are easily guessed, or worse of all, people won't use them at all, believing that there really is not need.
In a corporate IT environment passwords are often the only thing that stands between company sensitive information and the competition. Millions are spent by companies to secure data and it can all be rendered useless if the system admin uses his dog's name as a password for 'root'.
Still, with a Windows based OS, even the best passwords can be cracked given a surprisingly small amount of time. Maybe now Microsoft will take a look at hard look at its method of password encryption. Maybe.
One final thought: With all of the negative news about Microsoft these days, one wonders why the media hasn't labeled Rig Redmond 'beleaguered' yet? We think that if there is a poster child for being surrounded by problems, Bill Gates would be it. He wears it well, though. Go Bill!