If password management weren't enough of a headache, researchers have found what could be serious holes in Windows' password encoding scheme.
Swiss researchers at the Security and Cryptography Laboratory (LASEC) have outlined a way of cracking alphanumeric Windows passwords from hashed values in as little as five seconds, often less.
The LASEC team of academics and students, led by network security lecturer Philippe Oechslin, demonstrate at http://lasecpc13.epfl.ch/ntcrack/faq.php how to crack passwords, with some taking only a second using large lookup tables on a standard AMD-powered PC with 1.5GB of RAM.
The demo shows that passwords including non-alphanumeric characters are much harder to crack but, of course, few users use these.
Oechslin's teams points out that Windows uses two ways of encrypting passwords, and both lack random information, known to cryptographers as 'salt'. This means that the same password on two different machines will have the same hash value.
Oechslin says: "Because we know in advance how the hashes will look, we can pre-calculate all of them and store some of them in our tables." Most other OSes in use today - Unix, Linux, and Mac OS X - add a 12-bit salt to the calculation, with the result that Oechslin's method would take 4,096 times as long to generate a result.
Research undertaken for this project builds on previous work showing that using large amounts of memory to store lookup tables reduces the time it takes to crack a hashed value. The team has yet to decide whether to release the code it uses to derive passwords but, as the website points out, "We are not sure whether it is a good thing to release it and whether we should do that for free. On the other hand the method is described in the paper, so anybody else should be able to produce the code."
The good news is that password hash values can only be generated after an attacker has gained control of the PC, although remote tools could make this easier. And there are much easier ways of discovering passwords, as many recent stories have shown. In April researchers claimed that 90 per cent of workers passing through Waterloo station had given away their system password in return for a free pen.