xp login password question
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: xp login password question

  1. #1
    Junior Member
    Join Date
    Mar 2007
    Posts
    13

    xp login password question

    Does the strength of my login password in xp protect me from hackers on the internet, or does the login password only protect you from someone sitting there physically trying to type your password to get into your account?

    My login password is not a network password, right?

    thanks in advance

  2. #2
    ********** |ceWriterguy
    Join Date
    Aug 2004
    Posts
    1,608
    XP password on your user account is for physical access to your box or for folks wanting to use your user account remotely from across the network. If a user account has administrator rights, it should be secured with a very strong pass.

    For example:

    User Fred has a username 'Fred' with administrator rights. It's the only account on his system he ever uses. His computer has 2 other user accounts on it he may or may not know about (yes, there's really 3 or more but we won't count MS's backdoor accounts) depending on his level of experience with WinXP - Administrator, and Guest.

    On a reasonably secure system, Guest is disabled. Administrator will be passworded strongly, as will Freds, but Fred isn't a reasonably secure kind of guy. In fact, he's not too computer literate at all, being an average user. He has no password on his user account (it takes too long to login that way), and has one on his administrator account that the tech who installed his operating system had the foresight to implement for him. Fred can't remember that password, nor does he even know it exists.

    Joe Cracker lives down the street from Fred. He hates Fred, and lusts after Fred's hot redheaded wife, and knows Fred happily takes risque pictures of her with his digital camera. Fred thinks Joe's an alright guy who's a bit computer savvy, and goes to him with computer problems.

    During the months Joe works off and on teaching Fred how to defrag and disk cleanup, he gets Fred's wireless dsl router information - enough to set up a VPN session with Fred's computer. The rest is academic: Joe vpn's to Fred's box while Fred's asleep. He uses Fred's user account (without password) to access the files therein, snatching many lusty pics of the redhead of his dreams in the process. Since Fred's account has administrator rights, he goes into the User Accounts and adjusts the Administrator password to one of his choosing. He then plants a trojan that will email him every picture Fred downloads to his computer from his digital camera automatically. Now it doesn't matter if he ever 'fixes' Fred's problems again, he gets free pics of Fred's wife, and has full remote-access to Fred's computer whenever he bloody well wishes. Joe can use it to steal from Fred, set up Fred to look like he's been involved in criminal activities, or set Fred up so his wife leaves him...

    Pretty bad scenario, ya think? ANYTHING that offers you an option to use a password, please do, and use a strong one.
    Last edited by |3lack|ce; March 23rd, 2007 at 10:13 PM.
    Even a broken watch is correct twice a day.

    Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Your XP login password give access to that account on your local machine. This can be physically or remotely. It should be a strong password and greater than 14 characters.

    Network passwords are somewhat different as they are usually protected by some sort of "three strike rule" that allows a certain number of attempts before breaking the connection for a period of time or deactivating the account. As you can imagine an 8 character password contains a vast number of combinations so a dictionary or brute force attack is not practicable given the limited number of permitted attempts and the actual time required to submit each password.

    If, on the other hand you get rooted trojaned or backdoored then you have bigger problems than your password strength.

    To create long passwords that you can remember either use a "pass phrase" or just "pack" your password with set characters, for example:

    1234567890"mypassword"|ZXCVBNM<>?

    There you have your password packed with all the numbers and the bottom row of the keyboard on upper shift.


  4. #4
    Junior Member
    Join Date
    Mar 2007
    Posts
    3
    why bother to crack password, if somebody can add another password.
    password protection policy now a days is not an effective line of defence even you have uncrackable password.. why i would bother if just add another one.

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Quote Originally Posted by furigay
    why bother to crack password, if somebody can add another password.
    password protection policy now a days is not an effective line of defence even you have uncrackable password.. why i would bother if just add another one.
    1. You cannot "add another password" you can only reset the password of an existing user.

    2. You can create a new user account.

    Both of these require administrator rights and both of them are very obvious.

    So, why would you want to crack the password of an existing user?.............. well the only reason I can see is to commit some sort of criminal activity........ it is identity theft.

    What you want to do is impersonate an existing user, such that they do not know (their password remains the same, and still works), and that the administrator does not see a new user account.

    Password protection is still very valid, as it provides an audit trail and makes users accountable

  6. #6
    Member
    Join Date
    Mar 2007
    Location
    Noida
    Posts
    34
    Hi,
    why bother to crack password, if somebody can add another password.
    password protection policy now a days is not an effective line of defence even you have uncrackable password.. why i would bother if just add another one
    How do you do that ?
    May be you are talking about user rights escalation ?
    ---------------------------
    www.IndiaEsecure.com

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Quote Originally Posted by TejasV
    Hi,

    How do you do that ?
    May be you are talking about user rights escalation ?
    Maybe I did not understand the post correctly, but I took it to be that someone with administrator rights can either change the existing password or create a new user?

    Both of these would be almost instantly noticed?

    Anyway, a password is not like a telegram, you do not have to pay per letter

    Also, from a user viewpoint, a strong password can be good, as it means that it won't be your account that was used?

  8. #8
    Junior Member
    Join Date
    Mar 2007
    Posts
    13
    Thanks all and |3lack|ce for that example...

    |3lack|ce, would the xp home/pro user have to have Remote Desktop, Terminal services, NetBios or any other services that opens a port running for someone to access the machine remotely like what you've described, say if Joe never had physical access to Freds machine to gather that information? Say I see no ports open when I do netstat, are there any hidden exploitable ports still open that simply don't/won't show up in netstat?

    Also, |3lack|ce , could you further elaborate on those MS's backdoor accounts?

    When I do net users command I only see Administrator, Guest, and a limited account I've set up.
    Last edited by screwd; March 25th, 2007 at 05:43 PM.

  9. #9
    @ΜĮЙǐЅŦГǻţΩЯ D0pp139an93r's Avatar
    Join Date
    May 2003
    Location
    St. Petersburg, FL
    Posts
    1,696
    To increase the strength of the login password, there are several things you can do.

    1. Use randomly generated passwords. Do not use words or phrases. This will prevent dictionary attacks from succeeding.

    2. Long passwords. Passwords over 14 character will invalidate an LM hash as an added value. Not to mention the fact that brute forcing takes an insane amount of time for a long password... or a massive rainbow table.

    3. Special characters. Using certain characters from the unicode character set from 0128 to 0159. As with a password over 14 characters, this invalidates the LM hash and forces Windows to use an NT hash.
    Real security doesn't come with an installer.

  10. #10
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    Quote Originally Posted by screwd
    Also, |3lack|ce , could you further elaborate on those MS's backdoor accounts?

    When I do net users command I only see Administrator, Guest, and a limited account I've set up.
    To see what accounts you have on your PC, try this... http://www.belarc.com/free_download.html
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

Similar Threads

  1. ADSL Password Question?
    By c0br4 in forum Newbie Security Questions
    Replies: 10
    Last Post: September 28th, 2006, 12:01 AM
  2. Secure Login System
    By valhallen in forum Programming Security
    Replies: 10
    Last Post: August 29th, 2006, 11:46 PM
  3. Creating and Managing passwords
    By DeadAddict in forum The Security Tutorials Forum
    Replies: 3
    Last Post: November 24th, 2003, 12:19 AM
  4. secure my server
    By free-fall in forum Newbie Security Questions
    Replies: 2
    Last Post: December 20th, 2002, 05:44 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •