Make it Password recovery
Password tools are on your SuperDisc For theFor fullthe contents of yourofcover page full contents your disc, coversee disc, see130 page 9
Extreme password recovery L
If you’ve forgotten your password, don’t fret: there’s more than one way to get your data back
You’ll need this…
Software that can crack and display Windows passwords very quickly. Download it at: http://ophcrack. sourceforge.net.
3X P installation disk Repair mode allows you to reset the administrator password.
3A USB stick
For use with the Vista Password Recovery Wizard.
3A Linux LiveCD disk Boot one of these and you can remove the root password on your Linux installation.
This displays lost WEP and WMA wireless keys stored in Windows XP and Vista. Find it at www.nirsoft. net/utils/wireless_key.html.
3W ord/Excel Password Recovery Wizard
For cracking passwords applied to Microsoft Word and Excel documents. Download it from www.freewordexcelpassword. com/index.php?id=download.
et’s quickly go over the legalities first. As long as the computing resource to which you’re attempting to gain access is entirely yours, it’s legal for you to recover the passwords protecting it. However, the penalties can be very severe if you try breaking into other people’s computers and files. On this, the UK Misuse of Computers Act is very clear. With this in mind, let’s begin by recovering XP passwords.
Working in XP If you have administrator access to the machine, possibly the best tool for recovering the passwords of normal XP users is Ophcrack. The program uses a technique called ‘rainbow tables’. These contain password hashes that can be quickly compared to any found in the operating system. For more details, see ‘Spotlight on: Password storage’. When installing Ophcrack, you’ll be presented with several installation options. Choose the one next to last – to install the full, latest rainbow tables from the Internet. Downloading these can take quite a while to complete
1 Ophcrack can recover most of your XP passwords very quickly.
depending on how quick your connection speed is. Next, start up Ophcrack. Press the ‘Load...’ button and select the ‘From local SAM’ option. This loads and displays the names of the local accounts. To uncover their passwords, simply press the ‘Launch’ button. That’s all there is to it. Working through all of the possibilities can take a while, but slowly, Ophcrack will begin filling in the password information for each of the accounts.
XP repair backdoor If, however, you’re locked out of your XP administrator account, there’s a security loophole in XP’s recovery mechanism that you can use to get back in. For this, you’ll need the XP installation disk.
Spotlight on… Password storage Modern operating systems don’t actually store passwords, so how do they recognise when you’ve entered yours incorrectly? They store an encrypted version of the password called a hash. When you log in and enter your password, the log-on process encrypts what you enter and compares it to the hash stored against your username. If they match, you’re in; and if not, you’re not.
275 December 2008
For extra safety, even if you gain access to the stored hashes, there’s typically no way of reverse engineering them back into plain text. The algorithms that generate the hashes are ‘asymmetric’, meaning that you can’t simply work backwards like you can with a simple mathematical formula. This makes recovering passwords a lot slower, because any recovery software must generate hashes
for massive numbers of different passwords in an attempt to find the one that matches the hash for the target account. To slow down hackers even further, the file containing all the hashes is usually protected. In Windows, this file is called SAM, short for Security Accounts Manager. In Linux, it’s the ‘/etc/ shadow’ file, which is linked to the ‘/etc/passwd’ file. n
Once the CD boots, press [Enter] to set up Windows. Press [F8] to accept the licence agreement and then select the option to perform a repair on your XP installation. The software will then check your disks and copy the files that it needs for the repair. Shortly afterwards, the machine will reboot. The process resumes automatically. Keep watching the progress of the repair, and when it says ‘Installing Devices’, hold down the [Shift] key and press [F10]. A command line window will now open. At the prompt, enter the command ‘NUSRMGR.CPL’. This will open the standard Account Management window. You can now reset the administrator’s password. Once done, close the Account Management window and the command line, and continue with the repair (remembering to have your XP product key handy). Once it’s complete, you can log in with the new administrator password. You must let the repair finish, or Windows will roll the changed password back to the original.
Hasta la Vista Windows Vista contains a built-in method of recovering passwords, but it does rely on you setting it up before you forget the password. You should do the following now before it’s too late. The technique uses a USB memory stick, which you need to keep somewhere safe until it’s needed. You can use an old mp3 player for this. First, log into the administrator’s account. Next, click on the Start button, then enter the following command into the search box: ‘control userpasswords’ Press [Enter] and a window will appear. Click
Password recovery Make it
Create and test strong passwords There’s nothing like a strong password to put a hacker off, but creating them is an art in itself. Luckily, the basic principles are easy to learn. First, never use a word you can find in the dictionary, not even with numbers in place of vowels, because this approach is too well known. A better approach is to
on the option ‘Create a Password Reset Disk’. This will activate the Forgotten Password wizard. Click ‘Next’ and insert your USB storage device. Now enter the current administrator’s password, hit [Enter], and the wizard will write a file to the USB device. Remove the device, label it and place it somewhere safe. As long as you don’t subsequently change it, if you forget the administrator account’s password, simply plug the USB device into the machine and boot up. At the login prompt, click ‘Reset Password’. This runs the Reset Password Wizard again. Click ‘Next’, then select the USB device. When prompted, enter a new password and confirm it with a second entry. You can now log in normally with the new password. After you gain access, format the USB device and set it up again for the next time you need it.
Log in to Linux If you need to reset a normal Linux user’s password, simply log in as root and enter the command ‘passwd’ followed by the affected username. Enter a new password when asked and confirm it. If you’re locked out of the root account, try booting into runlevel 1. Your machine normally boots
Passwords that you should avoid There are some passwords you should never use: ‘password’, for instance, ‘123456’ or ‘qwerty’. Likewise, avoid ‘letmein’ or your username. And never update your password by incrementing a digit appended to the end. Hackers and much password cracking software know to try all these and many more combinations first. n
construct a password from the initial letters of a memorable phrase. Even better is to use a line from your favourite song. When it’s time to change the password, you can simply use the next line. If you forget your password, you can work through the lyrics. If you’d rather create passwords that are completely abstract, use
1 A quirk of the XP repair process allows you to reset forgotten administrator passwords.
into runlevel 5 – graphical mode with full networking. Runlevel 1 is single user, text-only mode. In many distros, booting into this runlevel also logs you into the root account without requiring a password. You can then issue the ‘passwd’ command without a username to change the password. How you boot into runlevel 1 depends on your boot loader, the identity of which will announce itself when you boot the machine. If your system uses Lilo, then at the ‘boot:’ prompt, simply enter the command: ‘linux 1’ (without the quotes). With the Grub boot loader, when presented with the boot options, scroll to the one you usually use to boot into Linux and press [E]. The parameters for the selected option will appear. Scroll to the ‘kernel’ line and press [E] again to edit it. You can scroll back and forth on this line. If there’s a ‘quiet’ or ‘splash’ option on the line, take it out. Now add the word ‘single’ at the end and press [Enter]. Finally, press [B] to boot into runlevel 1. All these boot loader changes are temporary, but once the kernel
keys from all areas of the keyboard. This will make ‘shoulder surfing’ and performing some cracking techniques a lot harder. If you’re worried about the strength of your password, you can test it online. Microsoft runs a password-testing service at www. tinyurl.com/ypc3dc. You can use this page interactively to compose
boots, it should ask you to either press [Enter] for maintenance or [CTRL]+[D] to continue. Press [Enter] and you should simply receive root’s command prompt. After changing the password and rebooting, remember that some distros – such as Ubuntu – don’t let you log into the root account directly at the graphical login prompt. Instead, log into your normal user account and issue the ‘su’ command to change to root, entering a new password when you’re prompted to. If, however, your installation asks for the root password when booting into single-user mode, you can still get back in using a LiveCD Linux disk. Boot from the CD and issue the command ‘fdisk –l’ to list the file systems on the hard disk. You’re looking for one marked ‘Linux’. Let’s assume that this is on dev/hda3. Enter the following commands (su to root first if the LiveCD doesn’t automatically make you root): # mkdir /mnt/it # mount /dev/hda3 /mnt/it # vi /mnt/it/etc/shadow You can use any editor to edit the shadow file. The gibberish between the first two colons on the line that begins with the word ‘root’ is root’s encrypted password hash. Delete it to remove the password from the root account.
1 Vista allows you to protect yourself before disaster strikes.
1 Microsoft’s online tool will tell you how strong your password is.
a particularly strong password, but you’d better make sure that you remember it, because it could be very difficult to crack if you forget it at a later point! n
A moving target On public accounts, such as web mail, it’s vital that you change your passwords regularly. The idea is to present a moving target to anyone who’s looking to compromise your account. If you keep your password the same for a long time, people may begin receiving spam that’s apparently coming from you. n
Now issue the commands: # umount /mnt/it # reboot Remove the LiveCD and allow the machine to boot from the hard disk. Log in as normal and, when changing to the root account, you shouldn’t be asked for a password. Once in the root account, issue the ‘passwd’ command to set another.
BIOS passwords If you forget your BIOS password or someone decides to set one, the machine won’t boot into an operating system until it’s entered. Because of this, most BIOS manufacturers incorporate a backdoor password. The ‘Spotlight on: BIOS backdoor passwords’ box has a table of the most common ones, culled from various technical resources on the web. If none of these work and you can’t find one online that matches your exact make and model of BIOS, all may not be lost, though things do get somewhat trickier. You’re required you to reset the BIOS password in hardware. The traditional method is to open your computer’s case and carefully locate the tiny pins on the motherboard which, when shorted out, clear the BIOS password. Sometimes, these are part of a bank of tiny numbered switches. Whatever form they 275 December 2008 105
Make it Password recovery
Spotlight on… BIOS backdoor passwords If someone sets a password on your BIOS, you’re effectively locked out until you enter it. Or are you? Here’s a list of BIOS backdoor passwords that can help you to get back in. Once you gain access to your machine, remember to reset the BIOS password immediately. n AMI BIOS
ALLY (try initial and last letters as upper or lower case)
IBM APTIVA BIOS PHOENIX BIOS COMMON DEFAULTS FOR OTHER BIOS TYPES
Press both mouse buttons repeatedly during the boot phoenix ALFAROME
take, however, unless they’re clearly marked, you’ll need the manual for your motherboard. If you don’t have it, you should be able to download it from the manufacturer’s website. A more drastic method is to remove the small rechargeable battery powering the CMOS RAM and containing the BIOS settings. Some sources say that you should leave the battery out for at least 10 minutes before replacing it. If you’ve made any changes to your BIOS’s setup since you took delivery of the machine, you’ll have to enter these again after replacing the battery, but the BIOS password should have gone.
Wi-Fi and other devices If you forget the WEP or WMA key to your wireless network, you can recover it using a piece of free software called WirelessKeyView by Nir Sofer . This simple utility recovers the keys stored by the XP Wireless Zero Configuration service. If you’re using Vista, it displays the keys stored by the WLAN AutoConfig service. What if you’ve forgotten the administrator password on your
Does size matter? How long should your password be, and does security increase with size? According to the Australian Computer Emergency Response Team (www.tinyurl. com/59mnu7), a randomly generated six-digit password has 56 billion combinations. An eight-digit password, however, has 200 trillion variations. A ninedigit password gives a staggering 13 quadrillion combinations (that’s 13 followed by 15 zeros). n
1 Use the Password Recovery Wizard to access locked documents.
Wi-Fi router? The same thing applies to other devices with management interfaces. First, check that the manual doesn’t mention a backdoor administrator password. If there is one, use it to gain access to the device. If not, visit www.phenoelit-us.org/dpl/ dpl.html for a regularly updated list of default passwords for a very large range of hardware from different suppliers. If your make and model of equipment doesn’t appear on that list and a web search also proves futile, you may have to reset the device to its factory default
1 WirelessKeyView will show you the lost wireless keys on your computer.
275 December 2008
settings. This is dependent on the hardware itself, so go back to the documentation. Luckily, however, most domestic networking devices are designed for use practically out of the box, so reconfiguring them should be no problem. To keep the amount of work that’s required after a factory reset to a minimum, make a note of the exact configuration of all the devices on your network before disaster strikes.
Accessing documents Finally, documents of all kinds can have passwords applied. This can be very annoying if someone emails you something to work on but forgets to tell you what the password is. Luckily, help is at hand. One utility for Word and Excel documents is the free Word/ Excel Password Recovery Wizard (www.freewordexcelpassword. com/index.php?id=download).
Simply open the Wizard’s zip file, double click on ���setup. exe’ and install the software. Run the program and press the ‘Select File’ tab to enter a file to crack. Now select ‘Dictionary Recover’ if you have a text file of possible passwords you’d like to try, or if you want to try the ‘Brute Force Recovery’, enter the maximum length of the password. There are plenty of other free and low-cost file password cracking programs, designed to crack other protected file types. Ultimately, however, it’s best to try and avoid the problem by creating personal passwords that are hard to forget, and which others cannot hope to crack. For a detailed guide to creating a super secure password, see Help Desk Extra in PC Plus Issue 274. n Jon Thompson is a network security consultant with a lousy memory for passwords. firstname.lastname@example.org