Cracking 14 Character Complex Passwords in 5 Seconds

There has been a lot of talk recently in the security community about high speed GPU (video card) processors being able to crack passwords very quickly.

But there is a technology that can crack them even faster. A Swiss security company called Objectif Sécurité has created a cracking technology that uses rainbow tables on SSD drives.

Apparently it is the hard drive access time and not the processor speed that slows down cracking speed. So using SSD drives can make cracking faster, but just how fast?

One article in March of this year stated that the technique using SSD drives could crack passwords at a rate of 300 billion passwords a second, and could decode complex password in under 5.3 seconds. So, how long would a long complex password hold up to the SSD based cracking technology?

Sounds like we need to put this to the test. Most hackers will crack passwords by decoding the password hash dumps from a compromised computer. So,  I pulled several 14 character complex passwords hashes from a compromised Windows XP SP3 test machine, to see how they would stand up to Objectif’s free online XP hash cracker. The results were stunning.

Let’s start out with an easy one. Here is the Administrator password hash from the machine:

aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0

And putting this into Objectif’s tool we get this response:

Password: Empty password…
Time: 2 seconds

Administrator didn’t set a password, that’s not good…

Okay, that wasn’t 14 characters, let’s try a hard one.

How about this one:

Hash: 17817c9fbf9d272af44dfa1cb95cae33:6bcec2ba2597f089189735afeaa300d4

And the response:

Password: 72@Fee4S@mura!
Time: 5 Seconds

Wow! that took only 5 seconds and that is a decent password.

Let’s try a few more:

Hash: ac93c8016d14e75a2e9b76bb9e8c2bb6:8516cd0838d1a4dfd1ac3e8eb9811350
Password: (689!!!<>”QTHp
Time: 8 Seconds

Hash: d4b3b6605abec1a16a794128df6bc4da:14981697efb5db5267236c5fdbd74af6
Password: *mZ?9%^jS743:!
Time: 5 Seconds (Try typing that in every day!)

And Finally:

Hash: 747747dc6e245f78d18aebeb7cabe1d6:43c6cc2170b7a4ef851a622ff15c6055
Password: T&p/E$v-O6,1@}
Time: Okay, this one really pushed it to the limits, it took a whole 11 seconds to crack!
(* Ran it through a second time later on and it got it in 3 seconds!)

Very impressive, it took only five to eleven seconds in this test to crack 14 character complex passwords. I was able to create a password that Objectif’s site couldn’t decode; it was using characters from the extended ASII set. But, unfortunately, I could not log into the XP system using it either.  :)

Want to see how a password would do without having to exploit a system and dump the password hashes? Objectif allows you to put a password in and it will convert it for you. Then you can place the hash into the cracker and see how it does.

Granted, these are Windows LM Hashes and not the more secure Windows 7/ Server 2008 NTLM based hashes. But, I believe that with cracking speeds increasing, relying on passwords alone may no longer be a good security measure. Many companies and government facilities are moving away from using just passwords to dual authentication methods. Biometrics and smartcards are really becoming popular in secure facilities.

And if the rumors are true, it looks like Microsoft may include facial recognition authentication in the next version of Windows. Time to dust off the old Web Cam…

* UPDATE:

Curious how long Windows 7 NTLM can hold up to password hash attacks? Check out “NTLM Passwords: Can’t Crack it? Just Pass it!

or prefer just Pulling Passwords in Plain Text instead of having to crack them? Check out Mimikatz.

About these ads

~ by D. Dieterle on October 21, 2010.

37 Responses to “Cracking 14 Character Complex Passwords in 5 Seconds”

  1. How about against NTLM (Vista/7/2k8) hashes?

    • The free online scanner only handles LM hashes. But, Objectif Sécurité is the creator of Ophcrack, which does work against NTLM hashes.

      http://ophcrack.sourceforge.net/

      If anyone has a SSD drive and runs Ophcrack on it against NTLM hashes, I would love to know the outcome.

      According to the article on “The Register” Objectif was running the online XP cracker on a Athlon 64 X2 4400+ with an SSD drive. I would love to see what a newer rig would do.

  2. You realize that LM hashes are 7 characters max right? So your 14 character password is really just two 7 character passwords. That’s why it’s so fast. The title of your article is horrifically misleading.

    • I put a 14 character complex password in Windows XP, do a hash dump, put it into Objectif’s online cacker and get the password as typed, in about 5 seconds.

      I guess I don’t see what part of that is misleading from the title?

      • What is misleading is that it is not a true 14 character password. It is two 7 character passwords which are hashed separately. Yes it may not seem different but if there is a 96 character set (upper + lower case letters + numbers + common symbols) – 7 characters is around 75 trillion possible combinations. 2 * 75 is around 150 trillion possible combination, but a 14 character password with 96 characters is around 5 octillion combinations. 75 trillion * 2 or 75 trillion ^ 2. See the difference? This would not be as fast with a real 14 character password. NTLM has been broken for a long time.

      • Thank you for the input. True, NTLM hashes are stored in two seperate 7 character lots. But users feel safer when they are told endlessly to use longer, complex passwords.

        What this post shows is that from a common, every day Windows XP machine (that has LM hashing enabled by default), it doesn’t matter if you enter a 4 character password, 7 character or 14. Or how complex it is. Technology exists that can crack it in about 5 seconds.

        The speed of the SSD based cracker is much faster than anything else out there.

  3. The high cracking speed is from Objectif’s use of SSD drives but also the storage of passwords in the weaker LM Hash method.

    If you have a Windows XP machine, a Windows Server 2003 Server(including Domain Servers!), or earlier, your system by default stores passwords in this way.

    Directions for turning off the storage of the LM Hash can be found on Microsoft’s website:

    http://support.microsoft.com/kb/299656

  4. Those Swiss are getting sloppy: after producing secure encryption devices that add the encryption key at the end of the message now they try to make money out of exploiting the NTLM password hash flow introduced by the idiot who designed it.

  5. [...] benchmarks sont issu de cet article : http://cyberarms.wordpress.com/ . En revanche, je  ne suis pas du tout d’accord sur les conclusions tirées. [...]

  6. It is very cool to see an implementation using SSD drives. I keep an 80GB, SATA disk laying around filled with rainbow tables and it can take up to about 10 minutes max (through a USB connection to the drive) to find/compare the correct LM hashes.

    As others have said, LM supports 14 character password max and splits that into two 7 character passwords. So each 7 character half is hashed separately. The method used here is a simple hash comparison. If you have two passwords exactly the same, hashed via LM, the hash will be the same. Now, if you have two NTLM passwords, the same, the hash will be different as there is “salt” or variance added to the algorithm.

    This prevents the simple hash comparison via rainbow tables that can be accomplished for LM hashes.

    Good post though, thanks for the information.

    • Thanks for visiting. Checked out your site, it looks pretty interesting!

      True, Linux has been using Satled passwords forever. But because Windows is concerned about backward compatability, LM hashes are still around.

      I saw a report that mentioned that Sharepoint still uses LM hashes too.

      The raw speed of the SSD drive is what just amazes me. As you said the online cracker is basically doing lookups on two seperate 7 character passwords, so in effect it is cracking two 7 character passwords in about 5 seconds.

      Very impressive indeed!

      • Yeah you are very right on LM hashes still being around and widely used. On actual computer forensics cases or during the course of pen-testing that I perform many people are still using XP with passwords under 14 characters with the default LM hash.

        As far as I’m concerned, anything that speeds up the process is good news to me :]

        I had not seen this free service by Objectif either. Pretty nice. I think it is inspiring me to dedicate an SSD just for this purpose.

  7. [...] Cracking 14 Character Complex Passwords in 5 Seconds – cyberarms.wordpress.com One article in March of this year stated that the technique using SSD drives could crack passwords at a rate of 300 billion passwords a second, and could decode complex password in under 5.3 seconds. [...]

  8. I just wanted to thank everyone for sharing this article and passing it along. Since it was released last week this article very surprisingly has been read over 10,000 times and I have read excerpts of it in 4 different languages!

    I want to thank too all those who have chipped in comments on this article on this site and other sites linking to it. You have provided some great information for users on password storage techniques and safety tips!

    Thank You!

    Oh, and by the way, a recent report stated that 74% of business computers are still using Windows XP. Please turn off LM Hashing! :)

    Dan

  9. I found a simple, cheap way to protect against this kind of password cracking: I just don’t use them. In fact, I’m not even using PC’s anymore. Period. Crack that hackers!

  10. [...] Passwords: Can’t Crack it? Just Pass it! In my prior article, “Cracking 14 Character Complex Passwords in 5 Seconds” we looked at how safe Windows LM based passwords were. But what about NTLM based [...]

  11. [...] Cracking 14 Character Complex Passwords in 5 Seconds « CYBER ARMS – Computer Security. [...]

  12. Thanks for the info ;)

  13. computers are great when they work!

  14. [...] Cracking 14 Character Complex Passwords in 5 Seconds No need to crack complex 20 character passwords, Just pass them [...]

  15. [...] weaknesses in the core structure of the Internet, while ever cunning hackers take advantage of increasing processing power and ever more trusting users. I’m willing to predict that something big is going to happen [...]

  16. [...] Cracking 14 Character Complex Passwords in 5 Seconds – [cyberarms.wordpress.com] There has been a lot of talk recently in the security community about high speed GPU (video card) processors being able to crack passwords very quickly. [...]

  17. [...] Cracking 14 Character Complex Passwords in 5 Seconds [...]

  18. Have you heard about the new plant DNA genetic encoding used on some cards? Some plants have more complicated DNA than animals.

    My son says more intellect that public officials as well.

  19. [...] to my attention by Chad Tilbury. While teaching SANS Forensics 408, Chad pointed out to the class this project to put the LM hash rainbow tables on solid state drives. This is an incredibly fast and inexpensive [...]

  20. [...] the Good, the Bad and the Ugly”. A must read. Especially if you think you already know all (http) about (http) LM hashes (http). Share [...]

  21. [...] have seen in the past that most Windows passwords less than 15 characters can be cracked in just a few seconds if the attacker can get the Windows Hashes. This is due to the fact that Windows stores these [...]

  22. Reblogged this on lava kafle kathmandu nepal.

  23. [...] As on some older systems, 14 characters or less can be cracked in a very short amount of time (as few as 5 seconds!) if the password hashes can be obtained and if the system allows weak LM [...]

  24. [...] State Disk), the same SSD that makes your laptop turn on in mere seconds. A Swiss company can reportedly crack 14-character passwords in 5-seconds using SSD. Wow! It may take the bad-actors a little longer to crack the longer passwords. Today, [...]

  25. [...] Passwords are “the most common logical access control…sometimes referred to as a logical token” (Ciampa, 2009). However, that being said, they need to be tough to hack in order to provide an essential level of access control. If one makes the password easy to guess or uses a word in the dictionary, they can be subject to brute force attacks, dictionary attacks, or other attacks using rainbow tables. Keeping this in mind, experts agree that the longer the password is, the harder it is to crack, provided the user remembers it and used many different characters and non-keyboard type characters in creating it. Utilizing this concept also makes it more difficult for a hacker to crack the password with the use of rainbow tables. Having a two-factor authentication (i.e. Smart card with password) can make things more secure, especially with technology advancing to the point where cracking passwords can take only seconds as pointed out in this article: http://cyberarms.wordpress.com/2010/10/21/cracking-14-character-complex-passwords-in-5-seconds/. [...]

  26. [...] Cracking 14 Character Complex Passwords in 5 Seconds [...]

  27. [...] have seen in the past that most Windows passwords less than 15 characters can be cracked in just a few seconds if the attacker can get the Windows Hashes. This is due to the fact that Windows stores these [...]

  28. It’s nearly impossible to find experienced people on this subject, however, you sound like you know what you’re talking about! Thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 286 other followers

%d bloggers like this: