John Pozadzides: How I’d Hack Your Weak Passwords

Posted by Kendall Harmon

Note: This isn't intended as a guide to hacking *other people's* weak passwords. Instead, the aim is to help you better understand the security of your own passwords and how to bolster that security.

Read it carefully

Filed under: * Culture-WatchBlogging & the InternetScience & Technology

Posted March 31, 2010 at 10:01 am [Printer Friendly] [Print w/ comments]

1. Truly Robert wrote:

For Windows XP (possibly Vista and 7, I don’t know), there is a commercial service that will crack your computer’s administrative login password, if you have one. Yes, it is legitimate, and I’ve used the service. Some folks forget their admin password because they usually login with a personal username. More commonly, the admin is set up by an employee or contractor who has since left without revealing the password. Thus, cracking an admin password is an essential business service.

To use the service, you download the CD image of a special operating system, then burn it to bootable CD. Then you boot to the CD. Since you are not running Windows, all Windows files can be read. The CD eads the registry, and find the list of all users (including admin) and their encrypted passwords. Then it displays this info on the screen. You write it down, and E-mail it to the cracking company. They decrypt the password(s). The answer comes back in 3 days free, or sooner if you are willing to pay about $20.

This relies on the fact that most passwords are not very secure, and something about the encryption method is already known.

For those of you who did not know this: Anyone with a bootable CD or USB with Linux can read the Windows files on your hard drive, without knowing a password, unless the individual files are encrypted.

March 31, 11:33 am | [comment link]
2. Ad Orientem wrote:

Hmmm   very sobering.  Thanks for posting.  I have generally used three or four different passwords ranging from simple and low security for things I really am not overly worried about but which may require a password (like my T-19 account) to more moderate security for things I do care about like email… to heavy such as my computer log in and banking.  In the latter case I have used at least seven random characters and numbers with some capitalized.  That seems to rank fairly well on his chart.  But after reading this and giving it some thought I think I am going to upgrade all my passwords.

March 31, 2:17 pm | [comment link]
3. Uh Clint wrote:

This is INCREDIBLY important!!!  Several years ago I realized that I had a total of about 2-3 passwords spread over perhaps 40-50 websites and accounts, which meant getting one of them allowed access to all of them.  I decided to get serious about security, and created a pattern of numbers and letters which is clear when you have the key, but impossible to break from outside - like a “one time cipher”, where a certain word, letter or number is used in the encoding.  The only problem was this meant that I suddenly had *many* passwords to remember, so I got Roboform (which the author recommends) to keep track of everything automatically.

I still have two or three “throwaway” passwords I use for sites I’ll probably only be visiting once; since they can’t be used to access any secure information (no credit card or bank account info is on those sites) and, if guessed, they’re a dead end, I figure I’m pretty well covered against hacking.  Perhaps not 100% - but enough to feel very comfortable.

March 31, 5:22 pm | [comment link]
4. Terry Tee wrote:

This article has made me think again about two incidents, one of which I thought was credit card cloning.  In the latter, my business card was suddenly charged up to the limit (which is quite low) as I discovered when I attempted to use it.  In the former, a jeweller in Miami e-mailed me from within the eBay system to say that he had an order from my account to send an expensive watch to, uhh, Lagos and was it a genuine order?  Needless to say it was not and I got eBay to shut down my account.  The credit card was similarly shut down and replaced at no loss to myself.  But reading the above made me wonder whether some at least of the sites I used had been hacked.

March 31, 9:17 pm | [comment link]
5. John A. wrote:

All my important passwords are unique.  I use KeePass inside a TrueCrypt container.  All of my personal and work files are in a TrueCrypt container because I use a laptop.  The KeePass file has it’s own additional password.

March 31, 11:20 pm | [comment link]
6. John C. B. wrote:

@Truly Robert,
You can also get an alternative bootable-CD like you mentioned that will do the cracking for you without the need to send it to a third party. You can also use them to overwrite the encrypted password stored on the machine with a new one. That is even easier than cracking an existing one. All this requires physical access to the machine however. One point of the article that gave me pause is that if you are using the same password for many things, it is only as good as the weakest link.

April 1, 1:36 am | [comment link]
Registered members must log in to comment.

Next entry (above): South Carolina Convention Resolutions Pass; Incursions Addressed

Previous entry (below): Georgetown Times—All Saints church groups reach an agreement, begin healing

Return to blog homepage

Return to Mobile view (headlines)