Vulnerability Development mailing list archives
Re: WinNT and previously used passwords
From: "Kit" <securityfocus () smallfoxx com>
Date: Fri, 24 May 2002 19:28:35 -0500
It's been a while since I've looked at this, but if I remember correctly, the password history is stored in the SAM with the account as NTLM hashes (this of course all changes with Active Directory). As such, if you're going to go through the hashes to get the history, might as well just break the current one rather than the history. However, if you're asking if the passwords are stored in plan text or reversible encryption, no. The authentication system (the NT server) never actually knows the password itself and therefore never stores it. Rather, the password is always transmitted in some hashed form of the NTLM hash of the password itself. This is where l0pht comes it. It just brute forces the hash until it can duplicate it. Theoretically, when you crack the hash, you may not be using the exact same password, but rather a statistical anomaly which just happens to produce the same hash. -K ----- Original Message ----- From: "KF" <dotslash () snosoft com> To: <vuln-dev () security-focus com> Sent: Friday, May 24, 2002 1:51 AM Subject: WinNT and previously used passwords
Today I got a message when I logged in to my domain about my pass being expired... so as expected I went ahead and typed in a new password. Next thing I know NT (win2k really) is barking at me saying I can not use any of my previous 10 passwords. Aparantly the one I wanted to use today was one I used a while ago. I found it interesting that SOMEWHERE my last 10 passwords are achived in the SAM or registry maybe? So my question is are there any tools similar to l0pht crack in which the last 10 passwords can be extracted from either the registry or the SAM file or where ever they are hiding? If I remember correctly l0pht crack grabs the CURRENT password and trys to crack the hash . I am not aware of it going after the old passwords so forgive me if l0pht crack already does this. I think being able to determine a persons last 10 passwords would help in guessing what they may pick next... people tend to form patterns. -KF
Current thread:
- WinNT and previously used passwords KF (May 24)
- Re: WinNT and previously used passwords Kit (May 25)
- RE: WinNT and previously used passwords V (May 25)
- MacOS X 10.1.4 MAC Address Spoofing Juan M. Courcoul (May 26)
- Re: MacOS X 10.1.4 MAC Address Spoofing jsyn (May 27)
- MacOS X 10.1.4 MAC Address Spoofing Juan M. Courcoul (May 26)
- RE: WinNT and previously used passwords Jesper M. Johansson (May 25)
- Re: WinNT and previously used passwords Kevin Finisterre (May 25)
- Re: WinNT and previously used passwords Roland Postle (May 26)
- RE: WinNT and previously used passwords Brett Moore (May 26)
- <Possible follow-ups>
- RE: WinNT and previously used passwords Seymour, Keith (May 28)
- RE: WinNT and previously used passwords Keith T. Morgan (May 28)