Re: Password too similar?
by Kid Stevens <kstevens89(at)comcast.net>
|
| Date: |
Thu, 08 Aug 2002 10:52:31 -0600 |
| To: |
hwg-techniques(at)hwg.org |
| References: |
tharapita |
| |
todo: View
Thread,
Original
|
|
The reason windows is so easily hacked at the password level is the
hash scheme doesn't randomly generate a different code for each
letter reliably. So if you de hash one password made up of the
alphabet they all pop back real fast after that. It is only finding
the set of letters that is hard.
So to your question: windows decodes the entire password file when
you add a new password so it reads it, does the compare and then
rehashes it. Oh boy if a hacker is watching the temp password file
with a javascript when it is unhashed.
Requiring a drastically different password is for office security
from your best buddy, two cubicles down.
At 7:02 PM +0300 8/8/02, Lauri Vain wrote:
>Hi there,
>
>Perhaps you have sometimes noticed (when you're changing passwords on
>some versions of Windows) that it pops up a "Password too similar"
>error. That means that the new password you requested was too similar to
>a previous password.
>
>How does Windows compare the entered password with the previous 10
>passwords when the old passwords are stored as an one-way hash only?
>Will the new password be mutated based on some simple algorithms, then
>hashed, and only then compared to old ones (they would have to repeat
>the process 1000 times or so to cover the most common variations of a
>single password) or is there a smarter approach to it? Mutating the new
>password like that wouldn't be all that effective, now would it. So, how
>does it work?
>
>Thanks,
>Lauri
--
Sincerely,
Kid Stevens
"I spend so much time alone that I begin to lose my humanity."
-Yes I stole that from the movie "Wing Commander" and changed 3 words to suit m
HWG hwg-techniques mailing list archives,
maintained by Webmasters @ IWA