[Lukeskywalkie]

I noticed this morning, as I rapid-fired my password to log on (and missed), that after a third attempt, windows 7 politely asked me if I wanted to reset my password.
...
reset how? This isn't some website cookie.  This is the operating system of my $1200 rig, and it unnerves me a little that my room mates, or a guest, could just ask my computer if it wouldn't mind ignoring the fact that they didn't know the password, and issue a new one.

Obviously I didn't click it, which I suppose would answer the question:  What does this function actually do?  Does it lock out the User data for that password?  Does it just give the person a free pass?

And if so, can I shut that option off?  I don't forget my PC passwords - they're too easy to forget.  It's just there to 'lock down' my PC from impolite glances and to deny people the implicit permission to use my PC just because it's on.

I've googled the question, to no success, since the vast, VAST majority of queries with the words "windows, reset, password" all lead to 5 million pages of how to reset, not how to NOT reset, much less a page that competently summarizes how that particular feature works precisely.

Does anyone have any experience with Win 7 password recovery, and how those of us with rude flatmates can better secure against intrusion?

[rev_posix]

Secure a windows 7 machine (or any machine for that matter) from this?  Pull the hard drive. 

Semi-seriously, if they have physical access to the machine, all bets are off and there isn't much you can do to stop them if they really want to change the password.

[Crybertrance]

I think the reset password asks you for a reset key, which you can store on a usb drive. Sorta like an encryption key. You have to insert said device to reset your password...

[Dragon]

Secure a windows 7 machine (or any machine for that matter) from this?  Pull the hard drive. 

Semi-seriously, if they have physical access to the machine, all bets are off and there isn't much you can do to stop them if they really want to change the password.

You can count on them not knowing enough about booting the system to enable the override, or on them being polite enough not to do a "hard" password reset (well, it is more hassle than I'd bother with, except if I really need it).

[jr2]

Enable a BIOS boot password.  (Poke around your BIOS settings to find it.) While that is easy enough to reset, you would have to be willing to actually physically open the case of the computer.  Many cases have a little place where a small padlock can be placed to prevent unauthorized access, however.  Obviously this won't stop someone who is determined, however, I think for you purposes that should be sufficient.

And yeah, the Windows password reset thing only works if you've created a reset key previously.  However, with a program like the one(s) included in Hiren's Boot CD, Falcon Four's Boot CD, (called Windows NT/2000/XP/Vista/7 Offline Password Reset Tool or somesuch) etc, it literally takes about two seconds (once you've taken a minute to boot the CD) to either a) reset the password of any account to blank or b) boot Kon-boot and patch the kernel in memory to make it think that anything that you put for a password is the correct password, granting full access to the system, until the machine is restarted or shut down, after which things go back to normal, besides any changes that were made.

Of course, you could always download 0phcrack and use the included rainbow tables to actually find which password was in use on the system.  The amount of time required for this varies depending on the system.  However, complex passwords defeat this method (but if your password is something like SallySandra23 I'm guessing 20 minutes and I'll be looking at your password).  Instead, use a password like Sa2llySa3ndra <- oops, that's not a combination of dictionary words and numbers! Throw in a couple special characters: S@2llyS@3ndr@ <- even better.

Regardless, a BIOS boot password will prevent any of the above unless your computer is a) opened or b) unsupervised access is given to the computer while it is up and running.

[The E]

Of course, you could always download 0phcrack and use the included rainbow tables to actually find which password was in use on the system.  The amount of time required for this varies depending on the system.  However, complex passwords defeat this method (but if your password is something like SallySandra23 I'm guessing 20 minutes and I'll be looking at your password).  Instead, use a password like Sa2llySa3ndra <- oops, that's not a combination of dictionary words and numbers! Throw in a couple special characters: S@2llyS@3ndr@

Computationally, those passwords all have the same complexity. The only thing that really determines the security of the password is its length.

[Alex Heartnet]

Of course, you could always download 0phcrack and use the included rainbow tables to actually find which password was in use on the system.  The amount of time required for this varies depending on the system.  However, complex passwords defeat this method (but if your password is something like SallySandra23 I'm guessing 20 minutes and I'll be looking at your password).  Instead, use a password like Sa2llySa3ndra <- oops, that's not a combination of dictionary words and numbers! Throw in a couple special characters: S@2llyS@3ndr@

Computationally, those passwords all have the same complexity. The only thing that really determines the security of the password is its length.

But a brute force attempt to crack the password takes a lot longer then a 'dictionary attack'.

[The E]

And if you think that those simple substitutions will really increase your password security, you are severely underestimating the intelligence of the other side.

[jr2]

I'm not talking about someone who is smart personally attempting to decipher your password.  I'm talking about someone (smart or not) who is attempting to use an automated tool to decipher your password.  Because, let's face it, unless Sally, Sandra, and 23 are known variables, you might as well be using a brute force attack.  I was actually going to suggest throwing your phone number backwards into the mix somehow, but I saved that figuring people would get the picture.   Basically, you want to use word or number strings that are familiar to you, and manipulate and/or salt them with special/random characters in such a way that they bear no meaning, unless you were the one that created the password from the original pass phrase / numbers.

Unless you're just awesome at memorizing completely random, lengthy pieces of characters that hold no meaning to you.  If that's you, then head over to http://www.strongpasswordgenerator.org/ or somesuch, set the length to 75 (just so I can laugh at you) and then have fun.

Did I mention Kon-Boot and what it does in my previous post?  Or what about the NT Offline Password reset tool?  So, if you want to be paranoid, encrypt your hard disk with TrueCrypt.  Cause then I will just be forced (if I really really want in) to put a hardware keylogger on your keyboard.  Of course, you could get around that by typing your password in a random order, while clicking on various points to make the input correct on the system.  Have fun doing that whilst using a completely random password:

Code: [Select]

rd;J])Be,#M0uAW6z+!E*nY{Rx1C@U}|.5fQjigN94~8^ZDvT?=mKo2w7kX3H[hbpP  Then again, maybe I'll just put a pinhole camera over your terminal and watch you type!  Better bring a jacket and shroud the system while you enter it!




Really, security usually boils down to deterrence... and for 99% of people, S@2llyS@3ndr@ would probably do, although that is a rather poor choice, considering that it has many repeat characters.  You're better off with BomberJacket23:  Bo2mb3rJ@c3k37

EDIT: Something wonky about that random password when viewed in Google Chrome.. it comes up as a mailto: link for the e-mail address ")Be,".

EDIT2: Not to put the wrong idea forward, I'm not some uber hacker or something, I'm just stating how it can be done and is done by others, if they really, really want access to what someone else really, really doesn't want them to have access to.

EDIT3: What I did with BomberJacket23: put the 2 two spaces into the first word, and the 3 three spaces into the second word: Bo2mberJac3ket Now, replace some of the characters with alternate symbols: Bomb3rJ@ck37 which when combined makes Bo2mb3rJ@c3k37, which doesn't really lend itself to being related to Bomber, Jacket, 23 at all... I think that one would more likely think that it was related to Bo, mbr, Jack, and some random characters thrown in... Also, I think I figured out what gave me the inspiration for using this particular password: SpardaSon23 Makes sense, right? Umm.. well, you know, Sally Sandra was 23 years old and she was wearing a bomber jacket while reading SpardaSon23's post... or something.  Alright, alright, I'm done. 

[The E]

Basically, you want to use word or number strings that are familiar to you, and manipulate and/or salt them with special/random characters in such a way that they bear no meaning, unless you were the one that created the password from the original pass phrase / numbers.

Thus making these things hard to remember, and no more secure against brute force attacks. Again, if you think these sort of conflations and letter substitutions cannot be expressed in a regular expression (and thus made parseable for a computer) you are severely mistaken.

If that's you, then head over to http://www.strongpasswordgenerator.org/ or somesuch, set the length to 75 (just so I can laugh at you) and then have fun.

There's no need for that. Here, let me show you a completely secure, 150 character password that is relatively easy to remember:

thisisareallylongpassworddesignedtodefeatmostbruteforcepasswor dsearchingattackscreatedtoproveasimplepointabouthowsaltingastr ingdoesnotmakeitmoresecure

With current tech, it is unbreakable within the lifespan of this universe. Even using rainbow tables will not help you much, since each of those has to be calibrated for a given password length.

[jr2]

Well yes, and while I use that approach myself, (not really worried about anyone trying to get into my system with a boot CD and I know how to browse the Internets and have decent virus protection) that password would be extremely easy to break using rainbow tables (it's just straight up, no-kidding dictionary words strung together)... although, come to think of it, that one is most likely too many words strung together to be able to be deciphered... 32 words strung together, so, no, I don't think most dictionary attacks go to that length.  The point of salting is to prevent dictionary attacks and make someone who is looking over your shoulder's life just a litter harder. My password is 25 characters long and consists of five words, one of which is a contraction.

I think the point I'm going for is, most people are satisfied with, say, barbequeBacon36, which would take no longer than an hour to crack with 0phcrack, and then I've got you password.

[The E]

that password would be extremely easy to break using rainbow tables (it's just straight up, no-kidding dictionary words strung together)

That is not how rainbow table attacks work.

Here's a quick overview over modern password security schemes:

1. The password is never stored in clear text.
2. Instead, a hash is used, like MD5.
3. When a user enters his/her password, only the hashes are compared.
4. "Salting" refers to the practice of appending a string of semirandom characters to the user's input, thereby increasing password length.

Now, the one thing about hashing algorithms to keep in mind is that they're trapdoor algorithms, easy to execute in one direction, but impossible to reverse.

Impossible for certain values of impossible, that is. Since hash functions are not guaranteed to be unique (that is, several different inputs can produce the same hash), the only thing you get when reversing them is a space of solutions. Rainbow tables make it easy to search that solution space for possible candidates by computing a whole bunch of intermediate results. Now, the trick here is that you need a few parameters to refine your search, password length being the most obvious one. By using a very long password, the number of possible permutations increases; thus nullifying the advantages of using rainbow tables.

[jr2]

Hmm, I thought rainbow tables were pre-computed hash results of every likely combination of words and numbers; the cracking program compares the hash of the user's password (from the Windows registry's SAM file IIRC.. just checked, yes it is) with the pre-computed hash value of different password combinations.  When a match is found, it then just reads which password produced the hash match.

Am I wrong?

[The E]

It's sort of the reverse. Rainbow tables hold possible values that, when fed into the hashing function, yield a given hash.

Of course, by the time you can extract a user's hashed password, you've presumably cracked all the other access protections. Cracking password hashes is a pretty academic exercise, when you come down to it.

[stinkyFeet]

So "Correct Horse Battery Staple" would be a bad password?

[Crybertrance]

*Cybertrance has bookmarked this thread for future hacking use...*

[Gunteen6]

ITT: Password Cracking