Windows passwords can be cracked in seconds


Swiss researchers earlier this week have discovered how to crack Windows alphanumeric passwords in about 13.6 seconds. The method involves using massive lookup tables designed to match the original passwords entered by users.

What the Swiss paper appears to demonstrate is weaknesses of Microsoft's password encrypting schemes. As Phillippe Oeschslin, a senior researcher at the Swiss Federal Institute of Technology in Lausanne wrote in an email to CNET News.com: "Windows passwords are not very good. The problem with Windows passwords is that they do not include any random information."

Once again we find ourselves confronted with evidence of shoddy workmanship on the part of Microsoft. This is the sort of thing that causes people to be up in arms about the Redmond über-coporation. Given the huge amount of capital and resources that Microsoft has at its disposal, why can't it get even simple things, such as password encryption, right? Why are so many of the bits and pieces out of which is Windows OS is constructed mere garbage? Compare Windows with Linux for example. Linux is largely a home-brewed system, created by thousands of volunteers. It is, as all but the most fervent advocates of the platform will readily acknowledge, a bit rough around the edges. It lacks the integration of Windows and some of the ease of use. It doesn't sport applications quite as powerful as Microsoft Office. Yet it still appears to be better written and better engineered than Windows. How can we explain this? Why can't Microsoft, with all its billions and billions of dollars in R&D, develop a better operating system than free software community?

Part of the reason may be hubris. How did Microsoft respond to this report of a security vulnerability in their password protection system? They responded by denying that a vulnerability exists. Those "security technologies in Windows XP Service Pack 2 are meant to help make it more difficult for an attacker to run malicious software on the computer as the result of a buffer-overrun vulnerability," Microsoft representatives said in the statement. "Our early analysis indicates that this attempt to bypass these features is not security vulnerability."

According to Microsoft, "An attacker cannot use this method [of accessing Windows passwords] by itself to attempt to run malicious code on a user's system. There is no attack that utilizes this, and customers are not at risk from the situation." In other words, no one has attacked this vulnerability in the system, so it's not a problem. Does everyone now understand why Windows is not a secure system? With this sort of attitude towards security issues, no wonder companies have lost billions of dollars because of attacks on the Windows operating system.

Posted: Fri - January 28, 2005 at 08:40 PM          

©