Tuesday, September 16, 2014

How easy is it for someone to hack your windows password?

So my Dad died last week and I am visiting my Mom for the funeral and she had a printed document he had written out some time ago about where to access all of the financial records and whatnot which, for the most part, he had copies of stored on his computer. He also had everything backed up to an external hard disk which was pretty smart because he failed to tell my Mom (or she forgot) the password to log on to his computer.

So I found myself in one of the rare situations where I had a legitimate reason to hack someone's computer. I was so taken aback by how ridiculously easy it was that I thought I should post about it.

In less then a minute of googling I found myself on this very nice page that laid out all of the options for Windows password "recovery":

http://pcsupport.about.com/od/toolsofthetrade/tp/passrecovery.htm

I tried the first tool in the list:

http://sourceforge.net/projects/ophcrack/?source=typ_redirect

So here I went and burned the OphCrack tool to a bootable CD and it turned out my Dad's computer had no optical drive... oops!

A couple more minutes of googling took me to another tool called Rufus:

http://rufus.akeo.ie/

Rufus allowed me to take the OphCrack CD image and burn it to my handy dandy Yoda USB stick. Yoda is now a password hacker.

Power cycle the computer, punch in a couple keystrokes to get to the BIOS to make the computer boot from USB storage, pop in Yoda, reboot and watch the show. OphCrack decoded the hashed password in the windows registry and showed it to me in under a minute and that minute included time for the Linux image now inside Yoda to boot up. I was all ready with a CD image for a command line password reset tool but I didn't need it because my Dad was not using a complicated password.

Now what if I was not doing this for a legitimate reason? What if I was someone you invited to a party at your house? Or a student you left alone in the classroom with your computer for a few minutes? The possibilities are endless. With Yoda in my pocket and physical access to a computer I can get your password in less then five minutes. This should highlight the need to be very cautious who you allow physical access to your computer. If, like most people, you use the same password for everything then I can steal your identity very easily by simply downloading all of your bookmarks and browser history onto my buddy Yoda.

With Windows 8 it is possible to use a Microsoft account instead of a local account which means your account information is stored in the cloud. Well, Jennifer Lawrence and her boobies can tell you how secure that is! Even with cloud based accounts you need to use two factor authentication to really protect your data.

All is not doom and gloom though if you take sensible precautions to protect your data from Yoda USB up there. Here are some things that everyone with sensitive data on a computer (ok, so that is actually everyone everyone) should do:


  1. Never leave your computer unattended in front of people you do not know well enough to trust to hold your checkbook. If you are planning a party unplug the computer or stow it in the attic until the party is over. Definitely do not pass out drunk with your laptop open...
  2. Use a complex password. If my Dad had set a complex password it would have taken OphCrack hours to figure it out. Complex passwords have no recognizable words in them and contain letters, numbers, and special characters. Here is a good site with a password generator you can use to create these passwords:
    http://www.pctools.com/guides/%20password/
  3. Do not use the same password for multiple password protected websites. If someone were to gain your password because Paypal, Target, Home Depot, Sony Online Entertainment, or Adobe got hacked and they can identify you as that password holder they can easily get into all the other sites you use by trying that same password
  4. The most important password to protect is your computer logon password. The next most important is your email password. Your email address is used for the username on a lot of password protected sites and if a hacker gets into your email they can change the password to lock you out of it and then proceed to issue password reset requests to get into all the other password protected sites that you use. Under no circumstances use the same password for both email and computer logon. 
  5. Do not write that hard to remember complex password on a sticky note and sticky it to your monitor. Treat written down passwords the same as money.. keep them in your wallet or safe or under the mattress or frozen in a block of ice at the back of the freezer but no where near your computer.
  6. Do not email or text message or instant message your password to anyone ever as those forms of communication cannot be secured adequately; anyone on the same public hotspot as you or piggy backed onto your own wireless connection can spy on them. If you must send a password electronically then do it over PGP encrypted email.
    http://lifehacker.com/180878/how-to-encrypt-your-email
  7. If the site offers it, use two factor authentication. This means more then just a password is required every time you login like answering a security question, having a one-time-use code set to your phone, or a biometric reader like the fingersprint scanner in iPhone 5s / 6. If iTunes backup files stored in iCloud had been protected by two factor authentication at the time then Jennifer Lawrence's boobies would still be private. 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)