Cracking Windows passwords in seconds

If your passwords consist of letters and numbers, beware.

Swiss researchers released a paper on Tuesday outlining a way to speed the cracking of alphanumeric Windows passwords, reducing the time to break such codes to an average of 13.6 seconds, from one minute 41 seconds.

The method involves using large lookup tables to match encoded passwords to the original text entered by a person, thus speeding the calculations required to break the codes. Called a time-memory trade-off, the situation means that an attacker with an abundance of computer memory can reduce the time it takes to break a secret code.

http://theglobeandmail.com/servlet/story/RTGAM.20030723.gtpasswordjuly23/BNStory/Technology/

in your password?

it seems to be more secure

about 4096 times as secure.

amazing that microsoft still hasn't adopted a simple security technology that was in UNIX 20 years ago.

Don't use Micro$oft stuff if you want to be secure, use Linux or maybe even OpenBSD or other Unix-like OSes. Micro$oft put sercurty holes in possibly malciously possibly out of imcompetence.

Password cracking: You're password is as strong as 1/P. Where P is the probablity of someone guessing or using it too.
pwd=GOD very high P
pwd=/qwc9$.p<ü7 lower P[br />
These attacks mentioned assume that the attacker has somehow gained access to the password file. Which exists normaly on the harddrive unecrypted. Hackers can gain access to such files only through other security holes, like MS Internet Explorer's java implementation.

How the password files work:
Take a big number seed - 1024 bit let's say.
Take a bit of salt generated for that machine- (random number) 12bit for unix mentioned.
Take Hashes of (username:password)
Multiply all those things together.

To test usernames password. Divide by Hash(username:password), if the reamainder is zero let him in.

To hack you have to factor some big ass number, which is "thought to be NP hard". Or you can try guessing multiple (username:password) combinations. If each guess takes X time to divide the hugh number the estimated times to hack the password will be about:
X*P

Moores's Law suggests the speed of computers doubles about every 6 monthes. So you have to increase the size of the seed and salt, every now and then. There is also the problem that humans may someday not be able to remember passwords long enough to do the job. Personally I think in the future we'll have an personal artifact used to verify who we are that can do complicated things like sigh certificates and check that we are who we say.