• Welcome to Valhalla Legends Archive.
 

Locked out of XP User account

Started by Fr0z3N, November 09, 2004, 09:30 PM

Previous topic - Next topic

iago

At work we decided to test it out.  The boot disk failed miserably, but the cracker "L0ftcrack" took 4 hours to find every password on my computer (5 of them).  That's a full bruteforce with up to 14 characters letters+numbers.  With symbols, it's closer to 20 days.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Skywing

Use a 15 character password or disable LM password hash storage.

iago

We don't have control over the computers.  We aren't supposed to have Administrator accounts, only network ones. 

The problem with using a strong password is their limitations.  You can't repeat the same character more than twice, so if I try like, "IPC's where I works" or something like that, it's illegal because I have more than 2 spaces.  It makes it difficult to have a strong passphrase, so I settle for a 6 character one that I don't care much about.  The worst anybody will do to my computer is put an annoying script in my startup folder :)
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Skywing

Quote from: iago on November 17, 2004, 02:04 PM
We don't have control over the computers.  We aren't supposed to have Administrator accounts, only network ones. 

The problem with using a strong password is their limitations.  You can't repeat the same character more than twice, so if I try like, "IPC's where I works" or something like that, it's illegal because I have more than 2 spaces.  It makes it difficult to have a strong passphrase, so I settle for a 6 character one that I don't care much about.  The worst anybody will do to my computer is put an annoying script in my startup folder :)
That sounds like an incredibly stupid rule (no repeated characters)...

iago

I agree.  It is good so people don't do aaaaaaaaaa, but it's bad because it blocks out my favourite passwords.

Hmm, I actually work for the department that would control that policy.  Perhaps I should bring it up.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Skywing

Quote from: iago on November 17, 2004, 03:43 PM
I agree.  It is good so people don't do aaaaaaaaaa, but it's bad because it blocks out my favourite passwords.

Hmm, I actually work for the department that would control that policy.  Perhaps I should bring it up.
It also helps an attacker bruteforce a password quite a bit if they are aware of such a policy (besides making it difficult to actually pick a good password)..