Vulnerability Development mailing list archives
RE: WinNT and previously used passwords
From: "Jesper M. Johansson" <jesper_m_johansson () hotmail com>
Date: Fri, 24 May 2002 21:13:47 -0700
Today I got a message when I logged in to my domain about my pass being
expired... so as expected I went ahead and typed in a new password.
Next
thing I know NT (win2k really) is barking at me saying I can not use
any
of my previous 10 passwords.
You, or whoever the administrator is, must have told it to remember the last 10 passwords. This is a security feature, actually.
So my question is are there any tools similar to l0pht crack in which the last 10 passwords can be extracted from either the registry or the SAM file or where ever they are hiding?
First of all, it is not storing the password. It is storing a hash (two hashes actually, unless you use the NoLMHash switch). Second, I don't think there are any such utilities. Generally speaking, I would be more interested in cracking your current password than 10 of your old ones, considering that the current one has a better chance of still being valid by the time I crack it. Presumably, if your new password is based on your old one, I would probably be able to crack the new one just as easily as the old one, and it allows me to do so using 1/11th the amount of work, assuming you are storing 10 passwords. Now, this might be interesting to do if your objective, as a white-hat administrator, is to catch people who reuse passwords. However, my experience is that most people would get more mileage out of teaching people to use good current passwords instead of cracking old ones. Better yet, implement smart card logon and get rid of passwords altogether.
Current thread:
- WinNT and previously used passwords KF (May 24)
- Re: WinNT and previously used passwords Kit (May 25)
- RE: WinNT and previously used passwords V (May 25)
- MacOS X 10.1.4 MAC Address Spoofing Juan M. Courcoul (May 26)
- Re: MacOS X 10.1.4 MAC Address Spoofing jsyn (May 27)
- MacOS X 10.1.4 MAC Address Spoofing Juan M. Courcoul (May 26)
- RE: WinNT and previously used passwords Jesper M. Johansson (May 25)
- Re: WinNT and previously used passwords Kevin Finisterre (May 25)
- Re: WinNT and previously used passwords Roland Postle (May 26)
- RE: WinNT and previously used passwords Brett Moore (May 26)
- <Possible follow-ups>
- RE: WinNT and previously used passwords Seymour, Keith (May 28)
- RE: WinNT and previously used passwords Keith T. Morgan (May 28)