nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

L0phtCrack's back! Crack hack app whacks Windows 10 trash hashes

Get ready to crack passwords up to 500x times faster

By Darren Pauli, 1 Sep 2016

Ancient famed Windows cracker L0phtCrack has been updated after seven years, with the release of the "fully revamped" version seven.

The password cracker was first released 19 years ago gaining much popularity in hacker circles and leading Microsoft to change the way it handled password security at the time.

No new versions have been released since version six in March 2009, launched at the Source Boston conference.

The latest iteration sports a revamped cracking engine designed to exploit modern multi-core CPUs and GPUs, blitzing the previous version's time to crack four-core CPUs by at least a factor of five.

However, users with expensive GPUs such as the AMD Radeon Pro Duo could see it work a whopping 500 times faster than the previous version.

The increase in speed was not matched by Microsoft, which still relies on NTLM password hashing.

So outgunned is Microsoft that password cracking is easier now than it was nearly two decades ago when L0phtCrack first landed, according to founding former L0phtCrack team members Christien Rioux, Chris Wysopal, and Peiter Mudge Zatko who run L0pht Holdings.

"[L0phtCrack's] password cracking capability forced Microsoft to make improvements to the way Windows stored password hashes," L0pht Holdings says.

"Microsoft eventually deprecated the weak LANMAN password hash and switched to the stronger NTLM password hash it still uses today … yet hardware and password cracking algorithms have improved greatly in the intervening years.

"The new release of L0phtCrack 7 demonstrates that current Windows passwords are easier to crack today than they were 18 years ago when Microsoft started making much needed password strength improvements."

A 1998 Pentium II 400 MHz CPU computer running version one of L0phtCrack would take a day to crack an eight-character long alphanumeric Windows NT password. Today L0phtCrack 7 could do the job on a gaming machine much more quickly, busting a Windows 10 password in about two hours.

"Windows passwords have become much less secure over time and are now much more easily cracked than in the era of Windows NT," the hacker outfit says.

"Other OSes, such as Linux, offer much more secure password hashing, including the NSA recommended SHA-512."

The group point to a study which found shoddy domain user passwords were the way in for most penetration testers, most of the time.

To that end L0phtCrack 7 is pitched as a means for admins and testers to audit Windows domain passwords to quickly find weak passwords in a few hours.

The revamped app also sports a shiny GUI and auditing wizard, plus scheduling and reporting. It works with all versions of Windows and supports new types of UNIX password hashes, and will work with other password importers and crackers using a plug in feature.

There is not yet a consensus on password selection best practice.

Microsoft and Google boffins reckon passwords should be pronounceable, rather than set to the typical recommended jumble of numbers, special characters, and letters, which are difficult for users to recall.

Britain's GCHQ spy agency reckons admins ought to stop punishing users with regular password resets, which studies show leads to weaker combinations being set over time.

Password strength meters are junk, Compound Eye developer Mark Stockley said, since it does not help against predictable and cliché logins that can be easily guessed.

Last month Docker's security lead Diogo Mónica (@diogomonica) rubbished the popular password choice and complexity debate saying password managers should be used to generate set unique jumbled credentials for all sites. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing