How Windows Store Passwords.ppt

Windows Operating Systems stores it’s passwords in a file called SAM(Security Accounts Manager). SAM is actually a Database stored as a registry file. It stores users passwords in a hashed format (in LM hash and NTLM hash). Since a hash function is one-way, this provides some measure of security for the storage of the passwords. Windows made an attempt to reduce the possibility of offline attempts by introducing SYSKEY. SYSKEY is a utility that encrypts the hashed password information in a SAM database using a 128-bit encryption key. SYSKEY was an optional feature added in Windows NT 4.0 SP3. It was meant to protect against offline password cracking attacks so that the SAM database would still be secure even if someone had a copy of it. However, in December 1999, a security team from BindView found a security hole in SYSKEY which indicates that a certain form of cryptanalytic attack is possible offline. A brute force attack then appeared to be possible. The Issue was fixed with the “Syskey Bug” then it was said to be strong enough to resist a brute force attack. The SAM file cannot be moved or copied while Windows is running. Windows kernel obtains and keeps an exclusive file system lock on the SAM file. Windows will not release that lock until the operating system has shut down or a blue screen exception has been thrown. However, the in-memory copy of the contents of the SAM can be dumped using various techniques, making the password hashes available for offline brute-force attack. LM hashes cannot be calculated when the user chooses a password of over 14 characters in length. A hash can be thought of as the digital fingerprint of a piece of data. It is also vastly unlikely that any different text string will give you an identical hash - a hash collision. It is next to impossible to (efficiently) recover the original text from a hash alone. Hash Password Examples. 2 very similar passwords have completely different hashes, i.e. password - 286755fad04869