Cracking Windows passwords in 5 seconds (Cool concept, unless you, you know, use Windows)

SecurityFocus BUGTRAQ Mailing List ^ | July 22, 2003 | Philippe Oechslin

[Michael Barnes]

Later...

[Southack]

"There is no technology to make a short password secure."

So how many digits are in your ATM password?!

[Ramius]

Roger that. :-)

Be good. or if not... be untraceable.

Later,

[lelio]

Not really an ATM hack, but there was a case in NYC where the cashier would swipe your card on the store's credit card machine, and then again on their local card reader. When you entered your PIN on the keypad someone was watching to get the 4 digits.
I think the plan was to clone your card and then use it. I can't see how this system would fail as its my understanding that nothing's written to your card when you swipe it through a machine. If there was you could easily detect this as the 2nd card wouldn't know the 2nd bit turned from "AD" to "BC" or something similiar.

[general_re]

Duress is when a foreign agent is beating the crap out of your wife and baby daughter until you give him a password that accesses all of your information.

Except that while the "duress" password will give said access to most or all of your critical data, it also signals your own team to come swooping in to the rescue.

That's great if you're the CIA or some such. For the rest of us, having a SWAT team on 24-hour standby is not exactly a practical alternative - rather, the name of the game is to prevent such attacks in the first place by controlling physical access in such a way that only authorized users get in the door. That way, the bad guy doesn't bother kidnapping you because even if he has your password, the large men stationed near the front door will prevent him from sitting down at a terminal and typing away.

[Southack]

"I can't see how this system would fail..."

Well, there's always that pesky camera taking digital pictures of every ATM use/attempt!

[Southack]

"the name of the game is to prevent such attacks in the first place by controlling physical access in such a way that only authorized users get in the door."

So ATM's and POS terminals control the physical access to their boxes in such a way that only authorized users can be physically near them?!

Come on guys, there is more to security than tactical solutions. Architect your system such that vulnerable data is NOT on vulnerable machines. Mimic what already works out in the field.

Anyone can gain physical access to an ATM or POS terminal, but that doesn't mean that the entire bank or even one account holder is compromised.

Use the Net!

[Russian Sage]

So how many digits are in your ATM password?!

The same as in the last four digits of my social security number, which some banks use as a "password" for phone banking!

[lelio]

The same as in the last four digits of my social security number, which some banks use as a "password" for phone banking!

When I went to college your SSN was your student id number. Yikes! Some professors wised up to that and when posting test scores they would only do the last four digits of your SSN.
However that ignores that the first three digits are easily guessed as its based on the state you received your number in. Since it was a state school you could surmise that the person was one of 5 numbers. Then all you had to do was guess the two digit middle number.

[general_re]

So ATM's and POS terminals control the physical access to their boxes in such a way that only authorized users can be physically near them?!

You've never used an ATM machine in an atrium or other entryway, the kind where you had to slide your card in a slot to get the electronic lock to switch off before you could even get at the machine?

I wanna move wherever you are - it sounds like a much nicer and more innocent place than the rest of the world ;)

Anyone can gain physical access to an ATM or POS terminal, but that doesn't mean that the entire bank or even one account holder is compromised.

That's great, but unfortunately my computer has to have access to anyone's account that I so choose, rather than simply restricting me to one account - my own. Why? Because that's what I do all day. I have to be able to do things that ATM machines are designed to prevent people from doing, so telling me to make it like an ATM machine doesn't solve my problem. And that kind of power raises issues that the people who make ATM's don't have to worry about, like really controlling who has physical access to my machine.

[amarok]

bump

[RightOnline]

"they don't use any "salt" in the hash. So "xyzzy" will always hash to "wqrtw" whereas in the unix world you'll throw some other characters in the password before hashing it. That salt is included..."

More salt and hash here than in the greasy spoon up the street.

[Bush2000]

The next version of Mac OS X will have on-the-fly encryption/decryption of the user's home directory. With that system, mere physical access will not be sufficient for an unauthorized person to use your files.

The Mac's most secure feature is that nobody uses it.

[Alas Babylon!]

That's true, General. Good security is a fine balance between the users and and the system. If it's too hard, you'll spend all your time resetting passwords, and the users will wind up writing down the passwords, etc. Too lax, and anyone can get through it in a minute or so.

That's why I use the analogy of locking your car so it won't be stolen. Bottom line, a few simple steps can keep that from happening in most situations. A determined car thief, who really wants your car, can probably steal it despite any measures you take save sleeping in it with a shotgun. Same goes for network security.

[AppyPappy]

We have implemented an online demo of this method which cracks alphanumerical passwords in 5 seconds average

Except we only allow 3 bad passwords in a row. Sorry

[azhenfud]

"Except that while the 'duress' password will give said access to most or all of your critical data, it also signals your own team to come swooping in to the rescue."

Similar to the duress code programmed into some business and home alarms. It sends a silent alarm without requiring a response from the monitoring agent - the agent is to instantly dispatch assistance.

[=Intervention=]

Very kewl. My hat's off to Apple yet again. (With that said, I'm sure there's some lag time in doing so. I'd be interesting in seeing how this runs on a G4 500, for instance...)

[cspackler]

Get the picture?!

Physical access to a keypad on an ATM is completely different that physical access to a PC. Last I saw, there was no floppy drive on the outside of an ATM that I can stick a boot floppy into to run a password crack program. If you were to break in through the 3 inch thick steel door in the back of the ATM, you would have full access and be able to have some real fun. You can "secure your network" all you want, but if I can get access to a pc on your network with a floppy drive, I can post your 4 digit password on DEJA before "Luke" could pull the force outta his rear end.

Get the picture?

[adam_az]

The SID of the real admin account is always the same. It wouldn't throw off most crackers.