Time waits for no man, and neither does L0phtCrack. Nearly 20 years after the first version of the password auditing and cracking tool was released, L0phtCrack 7, released Tuesday, shows that Windows passwords are even easier to crack now than they were in 1997.
L0phtCrack was the first password auditing tool released for Windows and its availability had a concrete effect on the way that Microsoft handled passwords. After its released, Microsoft abandoned the hash algorithm it had been using, known as LANMAN, and changed to NTLM instead. When L0phtCrack hit the streets in 1997, it could crack an eight-character Windows password in about 24 hours on a typical commodity PC available at the time.
Hardware advances and improvements in the cracking engine have made a huge dent in the time needed to recover that same eight-character alphanumeric password now.
“On a 2016 gaming machine, at less hardware cost, L0phtCrack 7 can crack the same passwords stored on the latest Windows 10 in 2 hours. Windows passwords have become much less secure over time and are now much more easily cracked than in the era of Windows NT. Other OSes, such as Linux, offer much more secure password hashing, including the NSA recommended SHA-512,” the L0pht said in a post announcing the new release of L0phtCrack 7.
Windows passwords have become much less secure over time.
The password hashing algorithm that Microsoft uses, MD4, is more than 25 years old and is considered insecure. Collisions of MD4 hashes have been demonstrated many times over the years, and was formally retired by the IETF five years ago. Chris Wysopal, one of the founding members of the L0pht hacking collective and CTO of Veracode, said Microsoft should change the hashes it uses in Windows and offer multiple options.
“Microsoft should do what Unix has done and offered multiple stronger hashing algorithms such as bcrypt. That alone would make Windows passwords 3 million times harder to crack than the MD4 algorithm they use,” Wysopal said.
“Microsoft could also make shorter passwords invalid. I would recommend 15 character passwords as a minimum if they want to stay with the MD4 algorithm. But I don’t expect this to change. They want administrators to set their own password policies. Many administrators think 8 characters requiring upper and lower case with numerics and a symbol is safe. L0phtCrack can easily demonstrate that is not true.”
Password cracking is done for both offensive and defensive purposes. Administrators can use tools such as L0phtCrack to audit the passwords that their users create, checking their strength and complexity. Attackers, meanwhile, often collect dumps of hashed passwords from data breaches and other compromises and crack them, knowing that people often reuse passwords on multiple sites. With the power of modern processors and tools such as L0phtCrack, password strength is perhaps more important than ever.
But the overall picture hasn’t changed much since 1997.