NT's Poor Password Encryption
Windows NT and 2000 Storage of LANMAN Password
Hashes Assure That Normal NT and 2000 Passwords Can Be Cracked
Major changes are coming to this page in February or March,
2014. The story of how Microsoft has refused to update a seriously flawed
password storage for more than 20 years. This is not about the problems of
the Lan Man hash which have been well known for many years and are discussed
below. This is about the problems of NT password storage, which has not
been updated since Windows NT was released in mid 1993, and is still used
on all current Windows systems except domain controllers and those using
Active Directory and Kerberos.
Current Windows Password Issues
By discontinuing LM or LANMAN hash storage as a defualt method in
Vista, Microsoft got rid of its biggest password weakness. Users of
Vista and later Windows products should be aware that LM hash storage
can still be enabled with a registry change.
On the other hand, Microsoft has refused to
acknowledge or deal with Windows other major password weakness.
This has to do with how the hashes are created. A hash is the
one way mathmatical transformation of a plain text password into
a giberish string which is how the password is stored on the system.
Each time you log in, the same process is repeated, and if the
resulting hash matches the stored hash, you have enterd the right
password and the system let's you on.
The problem Microsoft has not dealt with is that all Windows systems
turn the same password into the same hash. It is possible that different
Windows versions create different hashes from each unique plain text
password; it is my understanding this is not the case. I believe that
all Windows 2000 and later systems, with LM hashes disabled, create
the same hash from each unique plain text password.
There are publicly available databases
of cracked passwords. Most passwords don't even need to be cracked, they
can simply be looked up. Given the statistics on how many people use
bad passwords I'd guess something between 70 and 95% of all Windows
passwords in use are already known. It's estimatted that 20% of
users use one of the 25 most common passwords. According to
Mark
Burnett 40% of users use one of the top 100 passwords and 79% use
one of the the top 500 passwords. This means for the large majority of
Windows systems, any hacker who can gain access to your system probably
already knows your password, assuming you even use one.
Maybe that last sentence sounded a little strange. How do hackers get on
your system without knowing your password. That's way to big and complicated
a topic to even try to deal with here, but the short answer is bugs or
security flaws. Compromized passwords remain one of
the most common ways to illicitly access systems. The number is in the mid
20% range. That means the large majority of breakins are via means other
than compromized passwords. Once a cracker gets on a system he will almost
surely attempt to take the password file. That gives him the names of all
the accounts
on the system. Depending on the system and the hackers background he is
likely to look up or attepmt to crack all the passwords in the stolen password
file. This significantly increases his chances of long term access to the
hacked system if the way he got on in the first place is closed, perhaps
by the application of a security patch or system update.
Unix is very different. There are many varieties of Unix, and here
I'm including Linux, FreeBSD, OpenBSD and the other open source Unix
like systems as Unix variants. These systems use a variety of different
hashing algorithms but there is one thing they all have in common. They
all use salts. This means that each plain text password, has at least
2048 different hashes. Modern systems tend to have several times this
number. If I had a bad password, and the person working near me just
happened to have the same bad password, there is almost no chance the
hashes would look in any way similar on any Unix system, and they
would look even more different on different Unix systems.
Further, many Unix systems give their adminitrators the choice of more than
one hashing algorithm. At least one, OpenBSD not only gives the admistrators
a choice of algorithms, but lets them set a different loop count for everyone
than the default, and different loop counts for different classes of users.
By increasing the loop count, administrators may have entirely different, and
much stronger hashes than other users. Nearly all hashing algorithms are run
several times. Every variation in the number of loops results in a completely
different set of hashes. Each additional loop also makes the passwords stronger
because a cracker must configure his cracking tool to use the correct number
of loops on each password. Using the wrong number of loops or wrong hashing
algorithm ensures none of the attacked passwords will be cracked.
Also the
newer stronger hashing algorithms don't or should not have faster counterparts
that can be used for cracking. If an administrator is willing to add enough
loops that his login is delayed by a half second or even a second, that
ensures his password will be MUCH harder to crack. My last cracking table
suggest 25 million cracks per second on a fast desktop. With most modern
hashing algorithms, a cracker has to use the same process as is used when
a password hash is saved, or when a login password is hashed for comparison.
If it takes a second to log in, nearly all of this is the hashing process.
That means the cracker will also have to spend nearly a second for each
attempted password. By increasing the hashing loop count for root (the
name of Unix admins) the cracks per second can be reduced to 1, so
the root password on such a Unix system is roughly 25 million times stronger
than most passwords in use today (Windows passwords).
I'm on a very common Linux system that uses Blowfish as the default
hashing algorithm. Blowfish is widely regarded as the best of the password
hashing algorithms. I tried a couple well known password hash database sites.
Neither of them lists Blowfish. Neither of them recognized my password hash
as a hash let alone had a password to go with it. It's not a great password
but it's not vulnerable to any dictionary or any of the standard attacks.
It should take about 4 centuries to crack it with brute force, but if
a supercomputer or network of computers was available to crack it would
go a lot faster.
Returning to Windows, anyone who can point me to any authorotative statements
by Microsoft on what they have done in the past decade or so to strengthen
there password security, would be much appreciated. If there is nothing
from Microsoft, anyone who has the appropriate background and has studied
the changes Microsoft has made would be quite helpful. I'd like to update
these pages, but only if my basic concerns have been addressed. I'm no
fan of Microsoft, but I don't like criticizing obsolete systems when
I have doubts that the problems still exisist.
If all backwards compatibility is
history, at least you can make strong passwords on Windows now, which
really was not possible in the past with default system settings. But if
you really want secure passwords you are going to have to do things
differently. The truth is that you need 15 character or longer passwords
that neither you nor anyone else has ever seen before. You could use my
password generator (it was the most flexible and configurable generator on
the Internet, that I knew of). In the future I hope to add new
options appropriate for long passwords. Mark Burnett has created a
very flexible, and more user friendly password generator called
Pawfert.
You could also spend a lot of time reading my often technical section on
Good and Bad Passwords of which this page is a part.
For most of you though, unless you really want to understand the technical
details of what make strong and weak passwords, I'm going to suggest you
read this page by
Mark Burnett.
This page discusses many of
the important password issues in a much more user friendly way than I do.
I'd skip the last section, "How I Collect Passwords" and any other section
that does not seem useful. After you read most of the page, you should have
a good feel why longer passwords are so important, and some ideas about how
you might make ones you can remember and type. He has me wondering if there
may not be better ways to make paswords than I've been using. The way he
writes is very readable and often entertaining.
LANMAN Password Hash Storage
If you have Windows Vista or any newer Windows the rest of this page has no
relevance to you unless someone has deliberately enabled LANMAN hashing
via the registry on your system. If you have Windows 2000 SP2 or a
newer Windows prior to Vista you can fix the problems described
below by following one of the procedures descirbed on this
Microsoft Support
page to disable LM hashes. If you still have a system older than
Windows 2000 SP2, then you are stuck with the problem described
below.
Because Windows NT maintains backward compatibility with Windows
95 and 98 and the LANMAN authentication they support, Windows NT
passwords are particularly easy to crack. A LANMAN password is
upper cased, padded to 14 characters, divided into two seven
character parts, each of which is used as a key to encrypt a
constant. The two hashed results are concatenated and stored as
the LANMAN hash which is stored along with the NT hash in the SAM
part of the registry.
Two seven character pieces are much easier to break than a single
14 character sequence. Just how much easier depends on the
character set but is at least 7 and more likely 9 or 10 orders of
magnitude. Also, all LANMAN passwords are treated as all upper
case so that if a mixed case password is used, all lower case
letters are uppercased before the encryption is done. This
removes 26 characters that could have been used, also greatly
simplifying cracking but how much depends on how many characters
are in the password. 8 character LANMAN passwords are about 890
times easier to crack than their NT counterparts should be and 14
character LANMAN passwords are about 450 trillion (15 decimal
places) times easier to crack than their NT counterparts should
be.
Unfortunately, getting the LANMAN password pretty much gives the
NT password also. After the LANMAN password is cracked, 2 to the
nth power where n is the length of the password, gives the
maximum number of case variations that must be tried to get the
NT password. On contemporary hardware, this will probably take
less than a second.
NT has a registry setting to disable the use of LANMAN
authentication. This merely prevents clients using LANMAN
authentication from logging in; it does not clear the LANMAN
hashes from the SAM. It doesn't even prevent new LANMAN hashes
from being created and stored after the setting has been changed.
NT and 2000 password storage is a bad security joke. It is
essential that Windows NT and 2000 password hashes be kept out of
the wrong hands.
It's not clear how significant the changes to Windows 2000 are.
If Active Directory is enabled, then the password hashes are
stored there instead of the SAM. This will change the mechanics
of obtaining the password hashes. What is clear, is that as long
as LANMAN hashes are stored with their Windows NT and 2000
conterparts, the essentials of cracking Windows 2000 passwords
will remain the same as cracking NT passwords. Simply
disabling LANMAN authentication on Windows 2000 will not clear
the LANMAN hashes. Windows 2000 has not adopted anything like
the salt idea.
In the summer of 2001, Microsoft finally provided a method to
actually clear the LANMAN hashes for Windows 2000 and XP but not
NT. See
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q299656
for details. After the described registry changes are made, passwords
must be changed, so that the new password will not be stored with the
LANMAN hash. Authentication by Windows 95 and 98 clients will be
affected; see the article for details.
One of the most common recommendations regarding passwords does
not apply to Windows NT and 2000. This is to include mixed case,
digits and symbols or punctuation or at least two of the three.
Mixed case makes no significant difference as long as LANMAN
hashes exist. For the next several years, mixed case makes
passwords harder to type and remember but does not provide any
meaningful security advantage in the Windows world.
What will make a difference is to include letters, digits and two
symbols or punctuation characters and to be sure that one of them
is from the following: ~ `[ ] { } ; ' : " , . / \ < > ? |. There
is also the possibility of including "ALT characters" which will
be discussed further below. The reason for
this selection is that there are three fairly well known tools
for cracking NT passwords: L0phtCrack, John the Ripper and Crack
5. John and Crack are complex command line tools that require
significant effort to install; they're also free. In 2001 the time
limited shareware ($100) GUI version of L0phtCrack had a simple
standard Windows install and was just as simple to use. Within a
minute or two after downloading, you can have it installed and
cracking passwords. It was considered the fastest cracker and
generally worth the price.
LC5 Password Cracker
The preceding statement was true of the previous version
l0phtcrack 2. After L0phtCrack became commercialized, it was
subsequently called LC3, LC4, and then LC5. It passed through
multiple vendors and became subject to
standard Windows software price inflation. The
product is purchased, upgraded to support the current Windows
version, mostly window dressing features added and the price
raised multiple times. It's currently owned by Symantec or a
subsidiary and is no longer sold to new customers due to U.S. export
restrictions; support is expected to end at the end of 2006.
According to Wikipedia
a good freeware replacement called LCP is available from
http://www.lcpsoft.com/english/index.html.
Perhaps the most useful new feature that LC3 introduced is the use of
multiple computers on the same password set. Before, this would
have required tricky manual set up of configuration files and
manual coordination of the results. If a large number of desktop machines
that are otherwise not in use can be used frequently, it may
actually be practical to insure NT and 2000 passwords are among
the strongest the platform allows.
Previously the old command line version was distributed as both
source and binary executables from the same site as the
commercial version. The l0phtcrack 1.5 source
remains available. If an executable version of
l0phtcrack 1.5 is still available for download, I could not find
one. On http://sectools.org/tools2.html
item #27, the second on this page (late 2006), under the heading of L0phtcrack
tells where you can get a trial version (and how to extend it indefinitely),
though suggests other tools may be superior.
Before, if you really wanted to test the product or only wanted
it for "one time use", the trial version had everything you
needed. Later versions are licensed and priced in such a
way that it can only be justified for larger organizations that
plan to use it on an ongoing basis. As I don't believe its
productive to conduct ongoing
internal password cracking
as a useful security measure, I could not recommend LC3 - LC5 unless
the licensing is such that the multi computer feature can and
will be used on a really frequent basis. (The license displayed in
the downloadable version of LC3 includes no references to the multi
machine capabilities.) Given the weakness of
the LANMAN hash, this might allow an organization to apply more
computing power than a potential opponent could reasonably be
expected to apply to the problem.
l0phtcrack 2 represented a reasonable tradeoff between ease of
use and functionality. Given the license and pricing changes with
LC3, if I thought that periodic, internal password cracking was
of real value, I'd more likely go to the trouble to install Crack
or John the Ripper on NT or 2000 because of their significantly
greater dictionary transformation capabilities.
One possible benefit of LC3 - LC5 is that it's expensive enough
that few who want it for illicit purposes would pay the price and
without paying they won't have the brute force option. The
shortened trial period also reduces the usefulness to potential
intruders but unless the technical measures to enforce the trial
period are really strong, the license terms don't matter. Anyone
using it to gain unauthorized access to systems belonging to
others, won't care about license terms either.
Potential intruders with illicit off-hour access to a large
number of computers will love the multi computer feature. Even
without brute force but with large custom dictionaries, the large
majority of passwords at most sites should be available within a
15 day trial period. It would require very well planned technical
measures to prevent installation on a new computer from starting
a new trial period.
L0phtCrack has four character sets to choose from. No feature
changes are listed regarding this, so it should be applicable
to LC3:
A-Z
A-Z0-9
A-Z0-9 !@# $%^&*-_=+
A-Z0-9 !@# $%^&*-_=+~`[]{};':",./ \< >?|
A space is part of the third and fourth sets. If all your
passwords include one character from the punctuation and bracket
characters that appear in the fourth group, then the cracking
tool most likely to be used against you, will never get any of
your passwords if default settings are used and will be forced to
use the entire 95 character, printable ASCII character set to
crack your passwords. This greatly slows its operation. I suggest
2 symbol or punctuation characters, one from each of the two
L0phtCrack groups, so that if the next version allows selecting
punctuation and brackets before the top of the keyboard symbols,
your passwords don't suddenly become weaker. Each 7 character
piece should contain the full range of characters. NT passwords
are already so weak, they need all the strength that can be put
into them. Note the newer competitor, LCP, from Russia can use
the extended non ASCII characters.
On a PIII 500, L0phtCrack can process all possible LANMAN
passwords in about 95 days. The fastest desktop computers can
probably reduce this to less than 30 days; it's not known if
L0phtCrack can benefit from multiple CPUs. Cracking efforts can
be spread across multiple computers. Considering that the previous
was written in 2001, the fastest desktop systems in 2006, can
probably do the entire printable ASCII character set in several
days, unless backwards LANMAN compatibility is disabled.
Thus, NT and Windows 2000 passwords need to be regarded
as crackable by brute force methods. A potential intruder might
obtain your SAM via an untrustworthy or former employee, offsite
backup media, a buffer overflow in a service, a poorly configured
web server with buggy applications or any of several remote
exploits that an improperly configured NT machine may expose. If
so, and the intruder is willing to devote significant computing
resources to the task, ALL of the passwords will be
cracked because of the inherent weakness of the LANMAN hash.
Making the Strongest NT and 2000 Passwords
Microsoft documentation mentions "32 special ALT characters"
that are allowed in the passwords. Use of these could create
strong passwords even with the defective LANMAN storage. These
can be typed by holding the Alt key while typing numbers between 128
and 255 on the numeric keypad with the Num Lock indicator on. I
have no idea which 32 are allowed in passwords but the first I
tried, ALT-144, was accepted. Passwords with at least one of each
of letters, digits, symbols and punctuation and these ALT
characters would be strong but also very difficult to type and
remember.
Thus, the strongest NT passwords should contain an ALT character,
two symbols and punctuation, one or two digits and two or three
letters. Without the ALT character there should be two or three
symbols and punctuation, two to four letters and one or two
digits. Each 7 character part should be treated as a separate
password. NT passwords should never have even small dictionary
words in them. If they do, the worst place to put such a word is
at the begining of a 7 character password piece. Putting any
dictionary word at the begining of an NT password almost assures
that L0phtCrack can break the password and probably in not very
much time. With the ALT character included, NT passwords have
approximately the same strength as strong 7 character UNIX
passwords, if a cracker includes these in its character set.
These are probably not brute force crackable but a resource rich
and determined cracker might be able to get them. If the
cracking tool does not include the ALT characters in its
character set, such NT passwords will not be cracked.
The newer LCP can include characters outside the range of the
printable ASCII character set, thus making the ALT characters theoretically
crackable. LCP, however, is slower than LC5 and the number of non
printable ASCII characters so large, that brute force attacks are
unlikely to crack passwords including these characters. Where this feature
should be most useful is in non English speaking countries, such as
Russia where it appears to have been developed. There they would
naturally use local dictionaries using characters not seen on an
English or US keyboard.
User Passwords
The use of the ALT characters on administrator accounts
would be beneficial. There is no easy way to insure that users
choose strong passwords. It can't be done by password checking
either in a batch mode or interactively, i.e. doing your own
cracking because all you can do is ensure only the weakest
passwords are caught. To do more would require more CPU than a
single machine could possibly provide and a machine devoting 100%
of its CPU cycles to password checking won't get much useful work
done. There is no way to compete with a cracker who may be
willing to devote multiple fast machines to cracking your
passwords and who may be willing to wait days or months for
results. A user can't wait minutes let alone months to find out
if their passwords are acceptable.
The preceding paragraph may not be true, if LC3 is run off-hours
on multiple, otherwise unused, desktop computers.
There are no tools to ensure users enter good passwords as they
create them. Passflt.dll which comes with SP 2 and latter can't
do it. Passflt requires three of the following four: upper case
letters, lower case letters, digits and symbols or punctuation.
As we've already seen, the upper lower case test is irrelevant.
Thus a password like Academy1 will satisfy passflt but this is
really ACADEMY1 for the LANMAN hash. It's the simplest variation
on a dictionary word that L0phtCrack will have in a few seconds
on most computers. There is no technical means to assure users
enter punctuation or symbols as part of their passwords on NT.
If you train your users and use passflt.dll, it may remind them
of the correct ways to make good NT passwords. I've seen nothing
to suggest the situation is fundamentally different on Windows
2000.
7 / 14 Character Password Confusion
One mistaken notion, regularly repeated regarding NT passwords
is that they should be exactly 7 or 14 characters and that
passwords between these lengths are weaker than seven character
passwords. This is not necessarily true. The reasoning for this claim is
as follows. Because the LANMAN password is broken into
two 7 character pieces, passwords between 7 and 14 characters will
necessarily have a short second password piece that is easy to
crack. This is true. The one and two character pieces are found
almost instantaneously and up to 5 characters fall quite quickly.
Any six character password will be found before the 7 character
passwords are cracked.
The fallacy comes with the assertion that knowing the last part
will aid in finding the first 7 character password. It is
possible to pick passwords so bad, such as a single long word or
pathetically obvious pattern that this may, in rare instances, be
true but its likely such passwords would be found even if there
were no LANMAN hash and only the NT hash. Any reasonable attempt
to create a good password, will have a result where the eighth through
thirteenth character give no practical clue to the preceding
seven. This will surely be true of any password generator
created passwords.
The cracking tools have no direct way to use this inferred
knowledge from the quickly cracked second part. To use it, the
cracker must correctly infer the first 7 characters or make a
series of educated guesses and then manually create a custom
dictionary containing these and run the cracker using this new
dictionary. So yes, if the last three characters were '789', the
first seven might be '0123456' or if the last five were 'werty',
the first seven might be '123456q'. But then again they might
not. A cracker could spend a lot of time guessing at what he or
she thought the first seven characters were.
In the Microsoft knowledge base article on
disabling
LM authentication, password strength is discussed. According
to Microsoft a "strong enough" password should "be at least 11 characters
in length, with at least 4 of those characters uppercase, numbers or
punctuation." I don't get this because unless you ignore the
LANMAN issues, letter case is for all intents and purposes irrelevant
but then this wouldn't be the first time Microsoft dismissed a security
concern expressed by others. They do not suggest anything like 7 and
14 characters being the best NT password lengths.
It seems obvious to me that 14 characters is strongest but only
twice as strong as 7 instead of billions of times stronger. Using
all 14 characters, decreases the chance that both will come near
the beginning of a brute force generated sequence. The biggest
danger of passwords between 7 and 14 characters is that all the
digits and punctuation end up in the short password and thus will
be found quickly. The 10 character
[8=wujvriz
is a good NT password as is the 7 character
wujv[8=
but the 10 character
wUJvriZ[8=
is a lousy password as is the 7 character
WujVRIz.
The two good passwords have the character variation where it's
needed; the "riz" at the end of the first is simply irrelevant.
wUJvirZ[8= is poor because the "[8=" will be broken as a three
character password and the case variation in the first 7
characters of both poor passwords, is of no practical use.
If a password has the right type of character diversity, 7 and 14
character passwords may have a better chance that the character
diversity is distributed in a useful manner. Telling people to
use 7 and 14 character NT passwords is of no practical use unless
the characters that matter and don't matter are also explained.
Because of the peculiarities of the LANMAN hash storage, the
normal advice on password character diversity simply does not
apply to Windows NT and 2000 passwords. If you have clear
understanding of what happens with the LANMAN hash, you can make
strong NT passwords of any length between 7 and 14 characters but
those in positions 8 to 13 are just wasted typing and mental
energy. If you don't understand the LANMAN hash, 7 and 14
character passwords are still likely to be weak.
Where 14 character passwords could be most valuable would be if
multiple machines were being used to process the same password
file. Each would be given a different starting point. One
machine might get one half and another machine the other. It
would take a manual or other method to correlate the results from
different machines to put the halves together. (The preceding is
not applicable if LC3 is used in a multi machine configuration.)
To benefit from the 14 characters, both 7 character parts should
contain a digit, symbol and punctuation.
It's clear with regards to the storage of passwords, NT is much
weaker than UNIX. The LANMAN password hash storage problem can
and should be rendered moot by tight security in other areas
which an administrator can control, by making access to the SAM
very difficult. Not allowing NT logins to cross any firewall
that separates the local network from the Internet would greatly
reduce the chance of any passwords that might be obtained from a
misplaced recovery floppy or remote exploit, from being
successfully used.
Top of Page -
Site Map
Copyright © 2000 - 2014 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
http://GeodSoft.com/terms.htm
(or http://GeodSoft.com/cgi-bin/terms.pl).
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the
time of the distribution. Distribution of substantively modified
versions of GeodSoft content is prohibited without the explicit written
permission of George Shaffer. Distribution of the work or derivatives
of the work, in whole or in part, for commercial purposes is prohibited
unless prior written permission is obtained from George Shaffer.
Distribution in accordance with these terms, for unrestricted and
uncompensated public access, non profit, or internal company use is
allowed.
|