RE: WinNT and previously used passwords

[V <progman () netvision net il>]

This behavior is Password History and defined by the admin in the
Password Policies panel on NT/2k machines, stating how many previous
password should it remember, whether demand it's complexity, length, and
so on.

I'm not aware of any tools that extract these, and I have a feeling that
it is not possible. 
In any case, if I had to guess on their whereabouts it would be
\WINNT\SYSTEM32\CONFIG (where registry keys are stored, including the
current SAM).

Its an interesting issue thought. 


Cheers,
  - V.


-----Original Message-----
From: KF [mailto:dotslash () snosoft com] 
Sent: Friday, May 24, 2002 8:52 AM
To: vuln-dev () security-focus com
Subject: WinNT and previously used passwords


Today I got a message when I logged in to my domain about my pass being 
expired... so as expected I went ahead and typed in a new password. Next

thing I know NT (win2k really) is barking at me saying I can not use any

of my previous 10 passwords. Aparantly the one I wanted to use today was

one I used a while ago.  I found it interesting that SOMEWHERE my last 
10 passwords are achived in the SAM or registry maybe? So my question is

are there any tools similar to l0pht crack in which the last 10 
passwords can be extracted from either the registry or the SAM file or 
where ever they are hiding? If I remember correctly l0pht crack grabs 
the CURRENT password and trys to crack the hash . I am not aware of it 
going after the old passwords so forgive me if l0pht crack already does 
this. I think being able to determine a persons last 10 passwords would 
help in guessing what they may pick next... people tend to form
patterns.

-KF