Results 1 to 7 of 7

Thread: Is LC3 all its "cracked" up to be?

  1. #1

    Is LC3 all its "cracked" up to be?

    Here is the claim of the latest version of lophtcrack LC3 and it's claims:Security experts from industry, government, and academia cite weak passwords as one of the most critical internet security threats. But while many administrators recognize the danger of passwords based on family or pet names, fewer recognize that even savvy users expose networks to risk due to inadequate passwords. Consider that at one of the largest technology companies, where policy required that passwords exceed 8 characters, mix cases, and include numbers or symbols...

    L0phtCrack obtained 18% of the passwords in 10 minutes
    90% of the passwords were recovered within 48 hours on a Pentium II/300
    The Administrator and most Domain Admin passwords were cracked


    Details are here:http://www.l0pht.com/research/lc3/index.html

  2. #2
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    LC3 is by far and away the best password cracker for Windows operating systems. It was designed specifically for that purpose when l0pht was still underground. LC3 has no comparison when you need a windows password.
    ***note to kiddies*** this isn't a plug for you idiots to go and get the software.




    Most of us know this...but for those that don't...Your windows OS does not encrypt any characters beyond the 7th in your passwords. Hence why MS recommends using a 7 character password. Where as in *nix your passwords are shadowed completely.

    The best protection against having your password cracked is: mix capital letters with lowercase ones, use symbols and numbers as well.

    While LC3 is the best around....a good password will be enough to discourage most "crackers" from getting your admin password. I tried the one I use at home.... it estimated 180 days to complete the cracking of it. naturally I didn't let it finish.

  3. #3
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    that is very interresting reading there..

    thx..

    /me allways uses "good" passwords, but I know so many sysadmins that don't and won't listen to me if I warn them...
    but they do reply when I leave my mobile phone number on they desktop (remotely)
    hehe
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  4. #4
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    that is very interresting reading there..

    thx..

    /me allways uses "good" passwords, but I know so many sysadmins that don't and won't listen to me if I warn them...
    but they do reply when I leave my mobile phone number on they desktop (remotely)
    hehe
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  5. #5
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    I've been disillusioned by LC3 and more over ISS. Maybe it's just because we run a tighter ship than most but neither of those products told me anything I didn't already know about the network. Wait. ISS did find one weak password for a domain admin account that everybody had forgotten about a while ago.

    I guess it takes allot for software to impress me.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  6. #6
    It's possible to enforce more difficult password rules using another password dll..
    Available from mikeysoft, but U have to compile this yourself.
    (i can't find the link rightaway but it's available from technet.com)
    It's not perfect.. but it sure does work.

    Our users now have to use at least 3 types of char's (with at least one number) with a length of 12 chars

    Seems pretty secure ..

  7. #7
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    Your windows OS does not encrypt any characters beyond the 7th in your passwords.

    correct me if i'm wrong...but i think this only applies to ntlm not ntlmv2 (course you have to be running a pure ntlmv2 network with local security policies set to accept ntlmv2/refuse lanman & ntlm)..


    there's one way to make lc3 completely powerless...


    add THIS> ¨b ©Ã* ¨f©È©¦¨ˆ characters..or any other ansi extended nonprinting chars and lc3 will grind away forever...it can only deal with the 68 of the 256 ascii chars...

    there is a great article on all this HERE

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •