Is LC3 all its "cracked" up to be?

[antihaxor]

Here is the claim of the latest version of lophtcrack LC3 and it's claims:Security experts from industry, government, and academia cite weak passwords as one of the most critical internet security threats. But while many administrators recognize the danger of passwords based on family or pet names, fewer recognize that even savvy users expose networks to risk due to inadequate passwords. Consider that at one of the largest technology companies, where policy required that passwords exceed 8 characters, mix cases, and include numbers or symbols...

L0phtCrack obtained 18% of the passwords in 10 minutes
90% of the passwords were recovered within 48 hours on a Pentium II/300
The Administrator and most Domain Admin passwords were cracked


Details are here:http://www.l0pht.com/research/lc3/index.html

[hogfly]

LC3 is by far and away the best password cracker for Windows operating systems. It was designed specifically for that purpose when l0pht was still underground. LC3 has no comparison when you need a windows password.
***note to kiddies*** this isn't a plug for you idiots to go and get the software.




Most of us know this...but for those that don't...Your windows OS does not encrypt any characters beyond the 7th in your passwords. Hence why MS recommends using a 7 character password. Where as in *nix your passwords are shadowed completely.

The best protection against having your password cracked is: mix capital letters with lowercase ones, use symbols and numbers as well.

While LC3 is the best around....a good password will be enough to discourage most "crackers" from getting your admin password. I tried the one I use at home.... it estimated 180 days to complete the cracking of it. naturally I didn't let it finish.

[the_JinX]

that is very interresting reading there..

thx..

/me allways uses "good" passwords, but I know so many sysadmins that don't and won't listen to me if I warn them...
but they do reply when I leave my mobile phone number on they desktop (remotely)
hehe

[the_JinX]

that is very interresting reading there..

thx..

/me allways uses "good" passwords, but I know so many sysadmins that don't and won't listen to me if I warn them...
but they do reply when I leave my mobile phone number on they desktop (remotely)
hehe

[KorpDeath]

I've been disillusioned by LC3 and more over ISS. Maybe it's just because we run a tighter ship than most but neither of those products told me anything I didn't already know about the network. Wait. ISS did find one weak password for a domain admin account that everybody had forgotten about a while ago.

I guess it takes allot for software to impress me.

[wab73]

It's possible to enforce more difficult password rules using another password dll..
Available from mikeysoft, but U have to compile this yourself.
(i can't find the link rightaway but it's available from technet.com)
It's not perfect.. but it sure does work.

Our users now have to use at least 3 types of char's (with at least one number) with a length of 12 chars

Seems pretty secure ..

[zigar]

Your windows OS does not encrypt any characters beyond the 7th in your passwords.

correct me if i'm wrong...but i think this only applies to ntlm not ntlmv2 (course you have to be running a pure ntlmv2 network with local security policies set to accept ntlmv2/refuse lanman & ntlm)..


there's one way to make lc3 completely powerless...


add THIS> ¨b ©à ¨f©È©¦¨ˆ characters..or any other ansi extended nonprinting chars and lc3 will grind away forever...it can only deal with the 68 of the 256 ascii chars...

there is a great article on all this HERE