RE: [despammed] Defeating password cracking

Many of your tips do look like they could be effective.

If you haven't yet, I would want to test any new accounts and passwords that you create to confirm whether you can use them in Recovery Console mode or Directory Services Restore mode. My guess is if the character doesn't work in L0phtcrack or a SAM-cracking utility, they very well might not work in these modes... and that could leave you with a irreparable server when a server disaster strikes.

Also, in addition to the problem programs mentioned in the SecurityFocus article #10, services like IIS and possibly Exchange may have problems running if you use these special characters in the password or account name. I will admit to once somehow creating an Exchange 5.5 email account with a \ backslash in the account name and not being able to delete it from the Exchange server. Not such a big problem since you shouldn't be using this account for IIS or Exchange, but a potential problem if someone adds these characters to other user account names or passwords.

As you already mentioned, naturally these measures wouldn't prevent someone from undoing these changes that you've made by using a remote buffer overflow exploit or local privilege escalation or a trojan or cracked password from another administrator-equivalent account... or from using a boot disk and physical access to the computer to view the files on the hard drive.

Last, since you've pointed out these issues, it could be that the next rev of l0phtcrack might deal with some or all of these characters correctly. You'd think there would be a way for l0phtcrack to handle these characters correctly, since if the SAM process can create the hash correctly, lc should be able to as well.

-----Original Message-----
From: dave [mailto:dave@netmedic.net]
Sent: Tuesday, February 18, 2003 2:36 PM To: focus-ms@securityfocus.com
Subject: [despammed] Defeating password cracking

Simple ways to defeating password recovery boot-disk and password crackers, on NT/2000 machines.

I was bored and trying different characters that L0phtCrack and other cracking programs could not detect. While doing so I discovered that by using these same characters in user names you could prevent the Boot-disk password changers from being able to change the Admin and other passwords.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

[snip] Received on Thu Feb 20 14:04:33 2003