Orange County, CA – I just read about a new product announcement, New version of L0phtCrack makes cracking Windows passwords easier than ever. At Alvaka we used to do a hacking demo during a lunch and learn. Rex Frank would usually do the demo by doing a SQL Injection attack and bumping out to the command prompt. From there he would download the SAM (Security Access Manager) file and then use L0phtCrack to decode a password right in front of the eyes of everyone. Nearly everyone was shocked beyond compare. Of course that approach is now a bit dated, but it showed our guests just how vulnerable unpatched and inadequately secured systems can be. From the start of the demo to the revelation of an account password would only take five or ten minutes even while answering questions. The L0phtCrack decoding of one of the more simple and vulnerable passwords would take just a handful of seconds. More difficult and sophisticated passwords would take longer.
On August 16, 2016 I wrote a blog about how it is important really to have both good length and good complexity. Doing so could make the cracking of a password take years. That blog is here, Is password length more important than complexity? A guideline for password creation policy.
Cracking weak passwords can happen in less than five seconds. This underscores the need to enforce good password policies.
The bottom-line is that having a good and secure password that matches my recommendations in the August password blog is more important than ever. L0phtCrack in their announcement says:
“On a circa-1998 computer with a Pentium II 400 MHz CPU, the original L0phtCrack could crack a windows NT, 8 character long alphanumeric password in 24 hours. On a 2016 gaming machine, at less hardware cost, L0phtCrack 7 can crack the same passwords stored on the latest Windows 10 in 2 hours.”
Following good password creation rules can still make it effectively impractical for a hacker to get your password, but making that happen just got harder. Make sure you are diligent in setting your company-wide password policy rules.