Where does Windows (xp) store its users passwords?

[BigToque]

What sort of encryption is used to protect them?

 

[Zolty]

lots, you arent going to break it

just reformat or view the drive with knopix

 

[kylebubp]

Originally posted by: Zolty
lots, you arent going to break it

lol.

l0phtcrack.

 

[BigToque]

Originally posted by: Zolty
lots, you arent going to break it

just reformat or view the drive with knopix

I'm not trying to break anything, and my machine is running just fine. I'm just curious to know where the passwords are stored.

 

[n0cmonkey]

I think it's a file called something like _SAM. It'd be a hidden file though. Check out the documentation for l0phtcrack, it should provide more information.

 

[spyordie007]

%systemroot%\system32\config\SAM

 

[kylebubp]

I wouldnt bother...

YOU CAN"T BREAK IT!!11!!

 

[spyordie007]

Originally posted by: kylebubp
I wouldnt bother...

YOU CAN"T BREAK IT!!11!!

Actually if the passwords are weak they can be broken surprisingly easily. Yet another reason strong passwords are a must.

 

[Seeruk]

Originally posted by: spyordie007

Originally posted by: kylebubp
I wouldnt bother...

YOU CAN"T BREAK IT!!11!!

Actually if the passwords are weak they can be broken surprisingly easily. Yet another reason strong passwords are a must.

But you aint breaking the encryption in that example... you are breaking the user's stupidity

 

[kylebubp]

Originally posted by: spyordie007

Originally posted by: kylebubp
I wouldnt bother...

YOU CAN"T BREAK IT!!11!!

Actually if the passwords are weak they can be broken surprisingly easily. Yet another reason strong passwords are a must.

Yeah, I know. I was being sarcastic. It takes bout 1 minute to crack a simple password with L0phtcrack. Thats why on Windows machines I typically just type a line out of a song or something with correct punctuation and spaces for my password. Have fun trying to crack a 25 character password with spaces. Hell, might even throw an ASCII character in as well, just for fun.

 

[spyordie007]

I like to randomly generate them, here is a decent web-based generator for those who need one:
<a target=_blank class=ftalternatingbarlinklarge href="https://www.winguides.com/security/password.php">https://www.winguides.com/security/password.php</a>

I suggest:
1. Randomize the local admin account's password (something long and complex)
2. Store the password offline in a physically secure location (i.e. a safe)
3. Disable the local admin account (it will still work if you need it for safe mode or the recovery console, this prevents it from getting used normally)
4. If it's a domain member use restricted groups from group policy to ensure compliance of the "Administrators" and "Power Users" groups
5. Take a 5 minute break and pat yourself on the back

-Erik

 

[scottws]

Here's a fairly nice, secure way to create good log-in passwords on different systems: http://world.std.com/~reinhold/dicewarefaq.html#login.

 

[Sunner]

Originally posted by: kylebubp

Originally posted by: spyordie007

Originally posted by: kylebubp
I wouldnt bother...

YOU CAN"T BREAK IT!!11!!

Actually if the passwords are weak they can be broken surprisingly easily. Yet another reason strong passwords are a must.

Yeah, I know. I was being sarcastic. It takes bout 1 minute to crack a simple password with L0phtcrack. Thats why on Windows machines I typically just type a line out of a song or something with correct punctuation and spaces for my password. Have fun trying to crack a 25 character password with spaces. Hell, might even throw an ASCII character in as well, just for fun.

I tend to just mash my keyboard a little, then change a few small letters for big ones, and I have my pass

 

[rmrf]

I use my dog's name. Sometimes I use my birthday.

 

[stardrek]

This is an artical made by MS to reset a password on a system "in case you forgot your password": http://support.microsoft.com/?kbid=321305

Just thought you guys might find this interesting.

Using a BartPE live CD you can also reset a password on any windows box no matter if you have created a recovery disk or not. But MS doesn't want you to know.

 

[mikeford]

From knowing ZERO it took me a couple days and a few hours of searching, now ANY NT/XP/2K based system is a total open book. Takes about 5 minutes of physical access to the PC and all of the passwords are bypassed, which means all the encrypted files (MS) are also visible.

Don't bother asking or PMing, if you are a site admin, forensic, etc. that needs to use this type of thing, you know about it already.

 

[Nothinman]

Have fun trying to crack a 25 character password with spaces.

Unless you've told the system not to generate legacy LANMAN hashes, you're still screwed.

Takes about 5 minutes of physical access to the PC and all of the passwords are bypassed, which means all the encrypted files (MS) are also visible.

Not true, if you forcibly reset the password the encrypted files will remain encrypted and you'll have just lost the key to decrypt them.

 

[ShadowBlade]

google l0phcrack or LC5
it takes about 5 days to decode all windows passwords unless you buy the precomputed hash table discs

EDIT: that was on my old dell 2.4GHz celeron

 

[RebateMonger]

Originally posted by: Nothinman
Unless you've told the system not to generate legacy LANMAN hashes, you're still screwed.

Microsoft Support: How to prevent Windows from storing a LAN Manager Hash...

"Method 3: Use a Password That Is at Least 15 Characters Long
The simplest way to prevent Windows from storing an LM hash of your password is to use a password that is at least 15 characters long. In this case, Windows stores an LM hash value that cannot be used to authenticate the user."

 

[Nothinman]

"Method 3: Use a Password That Is at Least 15 Characters Long
The simplest way to prevent Windows from storing an LM hash of your password is to use a password that is at least 15 characters long. In this case, Windows stores an LM hash value that cannot be used to authenticate the user."

If that's true, why do they store anything at all?

 

[rmrf]

Originally posted by: Nothinman

"Method 3: Use a Password That Is at Least 15 Characters Long
The simplest way to prevent Windows from storing an LM hash of your password is to use a password that is at least 15 characters long. In this case, Windows stores an LM hash value that cannot be used to authenticate the user."

If that's true, why do they store anything at all?

ditto.

 

[Jeff7]

Originally posted by: spyordie007
I like to randomly generate them, here is a decent web-based generator for those who need one:
<a target=_blank class=ftalternatingbarlinklarge href="https://www.winguides.com/security/password.php"><a target=_blank class=ftalternatingbarlinklarge href="https://www.winguides.com/security/password.php">https://www.winguides.com/security/password.php</a></a>

I suggest:
1. Randomize the local admin account's password (something long and complex)
2. Store the password offline in a physically secure location (i.e. a safe)
3. Disable the local admin account (it will still work if you need it for safe mode or the recovery console, this prevents it from getting used normally)
4. If it's a domain member use restricted groups from group policy to ensure compliance of the "Administrators" and "Power Users" groups
5. Take a 5 minute break and pat yourself on the back

-Erik

Or for Firefox, ther's the handy SecurePassword Generator

 

[spyordie007]

Originally posted by: Nothinman

"Method 3: Use a Password That Is at Least 15 Characters Long
The simplest way to prevent Windows from storing an LM hash of your password is to use a password that is at least 15 characters long. In this case, Windows stores an LM hash value that cannot be used to authenticate the user."

If that's true, why do they store anything at all?

I'm assuming because the LM hash is provided for backwards compatability and since Win 95/98 doesnt support more than 14 charactors for a password on a NT system there would be no reason to try and create a LM hash if your password was longer (because you wouldnt be able to connect anyways).

 

[RebateMonger]

Here's how the LAN Manager "Hash" works, and why it's so easy to defeat if you have access to the files.

"The LMHash, also known as the Lan Manager hash, is technically speaking not a hash at all. It is computed as follows:

1. Convert all lower case characters in the password to upper case
2. Pad the password with NULL characters until it is exactly 14 characters long
3. Split the password into two 7 character chunks
4. Use each chunk separately as a DES key to encrypt a specific string
5. Concatenate the two cipher texts into a 128-bit string and store the result

As a result of the algorithm used to generate the LMHash, the hash is very easy to crack. First, even a password longer than 8 characters can be attacked in two discrete chunks. Second, the entire lower-case character set can be ignored. This means that most password cracking tools will start by cracking the LMHashes and then simply vary the alpha characters in the cracked password to generate the case-sensitive passwords."

 

[Nothinman]

I'm assuming because the LM hash is provided for backwards compatability and since Win 95/98 doesnt support more than 14 charactors for a password on a NT system there would be no reason to try and create a LM hash if your password was longer (because you wouldnt be able to connect anyways).

I know, but you said "Windows stores an LM hash value that cannot be used to authenticate the user.", not Windows doesn't store a LM hash.