March 23rd, 2007, 08:44 PM
xp login password question
Does the strength of my login password in xp protect me from hackers on the internet, or does the login password only protect you from someone sitting there physically trying to type your password to get into your account?
My login password is not a network password, right?
thanks in advance
March 23rd, 2007, 09:02 PM
XP password on your user account is for physical access to your box or for folks wanting to use your user account remotely from across the network. If a user account has administrator rights, it should be secured with a very strong pass.
User Fred has a username 'Fred' with administrator rights. It's the only account on his system he ever uses. His computer has 2 other user accounts on it he may or may not know about (yes, there's really 3 or more but we won't count MS's backdoor accounts) depending on his level of experience with WinXP - Administrator, and Guest.
On a reasonably secure system, Guest is disabled. Administrator will be passworded strongly, as will Freds, but Fred isn't a reasonably secure kind of guy. In fact, he's not too computer literate at all, being an average user. He has no password on his user account (it takes too long to login that way), and has one on his administrator account that the tech who installed his operating system had the foresight to implement for him. Fred can't remember that password, nor does he even know it exists.
Joe Cracker lives down the street from Fred. He hates Fred, and lusts after Fred's hot redheaded wife, and knows Fred happily takes risque pictures of her with his digital camera. Fred thinks Joe's an alright guy who's a bit computer savvy, and goes to him with computer problems.
During the months Joe works off and on teaching Fred how to defrag and disk cleanup, he gets Fred's wireless dsl router information - enough to set up a VPN session with Fred's computer. The rest is academic: Joe vpn's to Fred's box while Fred's asleep. He uses Fred's user account (without password) to access the files therein, snatching many lusty pics of the redhead of his dreams in the process. Since Fred's account has administrator rights, he goes into the User Accounts and adjusts the Administrator password to one of his choosing. He then plants a trojan that will email him every picture Fred downloads to his computer from his digital camera automatically. Now it doesn't matter if he ever 'fixes' Fred's problems again, he gets free pics of Fred's wife, and has full remote-access to Fred's computer whenever he bloody well wishes. Joe can use it to steal from Fred, set up Fred to look like he's been involved in criminal activities, or set Fred up so his wife leaves him...
Pretty bad scenario, ya think? ANYTHING that offers you an option to use a password, please do, and use a strong one.
Last edited by |3lack|ce; March 23rd, 2007 at 09:13 PM.
Even a broken watch is correct twice a day.
Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!
March 24th, 2007, 11:07 AM
Your XP login password give access to that account on your local machine. This can be physically or remotely. It should be a strong password and greater than 14 characters.
Network passwords are somewhat different as they are usually protected by some sort of "three strike rule" that allows a certain number of attempts before breaking the connection for a period of time or deactivating the account. As you can imagine an 8 character password contains a vast number of combinations so a dictionary or brute force attack is not practicable given the limited number of permitted attempts and the actual time required to submit each password.
If, on the other hand you get rooted trojaned or backdoored then you have bigger problems than your password strength.
To create long passwords that you can remember either use a "pass phrase" or just "pack" your password with set characters, for example:
There you have your password packed with all the numbers and the bottom row of the keyboard on upper shift.
March 25th, 2007, 09:48 AM
why bother to crack password, if somebody can add another password.
password protection policy now a days is not an effective line of defence even you have uncrackable password.. why i would bother if just add another one.
March 25th, 2007, 11:13 AM
1. You cannot "add another password" you can only reset the password of an existing user.
Originally Posted by furigay
2. You can create a new user account.
Both of these require administrator rights and both of them are very obvious.
So, why would you want to crack the password of an existing user?.............. well the only reason I can see is to commit some sort of criminal activity........ it is identity theft.
What you want to do is impersonate an existing user, such that they do not know (their password remains the same, and still works), and that the administrator does not see a new user account.
Password protection is still very valid, as it provides an audit trail and makes users accountable
March 25th, 2007, 12:20 PM
How do you do that ?
why bother to crack password, if somebody can add another password.
password protection policy now a days is not an effective line of defence even you have uncrackable password.. why i would bother if just add another one
May be you are talking about user rights escalation ?
March 25th, 2007, 12:41 PM
Maybe I did not understand the post correctly, but I took it to be that someone with administrator rights can either change the existing password or create a new user?
Originally Posted by TejasV
Both of these would be almost instantly noticed?
Anyway, a password is not like a telegram, you do not have to pay per letter
Also, from a user viewpoint, a strong password can be good, as it means that it won't be your account that was used?
March 25th, 2007, 02:52 PM
Thanks all and |3lack|ce for that example...
|3lack|ce, would the xp home/pro user have to have Remote Desktop, Terminal services, NetBios or any other services that opens a port running for someone to access the machine remotely like what you've described, say if Joe never had physical access to Freds machine to gather that information? Say I see no ports open when I do netstat, are there any hidden exploitable ports still open that simply don't/won't show up in netstat?
Also, |3lack|ce , could you further elaborate on those MS's backdoor accounts?
When I do net users command I only see Administrator, Guest, and a limited account I've set up.
Last edited by screwd; March 25th, 2007 at 04:43 PM.
March 25th, 2007, 05:16 PM
To increase the strength of the login password, there are several things you can do.
1. Use randomly generated passwords. Do not use words or phrases. This will prevent dictionary attacks from succeeding.
2. Long passwords. Passwords over 14 character will invalidate an LM hash as an added value. Not to mention the fact that brute forcing takes an insane amount of time for a long password... or a massive rainbow table.
3. Special characters. Using certain characters from the unicode character set from 0128 to 0159. As with a password over 14 characters, this invalidates the LM hash and forces Windows to use an NT hash.
Real security doesn't come with an installer.
March 25th, 2007, 11:30 PM
To see what accounts you have on your PC, try this... http://www.belarc.com/free_download.html
Originally Posted by screwd
PC Registered user # 2,336,789,457...
"When the water reaches the upper level, follow the rats."
By c0br4 in forum Newbie Security Questions
Last Post: September 27th, 2006, 11:01 PM
By valhallen in forum Programming Security
Last Post: August 29th, 2006, 10:46 PM
By DeadAddict in forum The Security Tutorials Forum
Last Post: November 23rd, 2003, 11:19 PM
By free-fall in forum Newbie Security Questions
Last Post: December 20th, 2002, 04:44 AM