Good security requires good passwords. But good security is as much about ensuring access by authorised users as it is about preventing access by interlopers. Recovering, resetting, or removing passwords is sometimes a necessity. Here’s how.
It is a truth generally acknowledged among security people that password-protecting sensitive data is a fine thing. And it is, right up until the moment that someone is on deadline, the file or machine is full of essential data, and the password is missing in action.
There are all sorts of circumstances under which lost access happens. The employee who set the password may have left the company sometime earlier or, worse, died suddenly, leaving no record. Or the password may have been forgotten, corrupted, or changed in line with an inscrutable policy that has since been rewritten.
Like all situations involving computer problems, before starting work assess the situation. What do you need to get into? A whole computer? One particular file? What type: Excel, Word, ZIP?
If the Windows password has been forgotten and the PC is joined to a domain, it’s simple to change the password for the account from the domain server by right-clicking on a user in Active Directory Users and Computers (which you’ll find in Administrative Tools) and choosing Reset; you can also do it from the command prompt using DSMOD USER [username] -pwd [newpassword].
For very small businesses with no server and no domain, you can try to crack the Windows password using the tools mentions below or you can reset it with Active@ Password Changer (password-changer.com) which is modestly priced (starts at $30 for the DOS version) and well recommended. However, if all that’s needed is access to a hard drive’s contents, it may be simpler to use a DOS or Linux boot disk to gain access to the hard drive and then copy off just the files you need.
If you’re dealing with a password-protected file, there are two types of password utilities that can help. The first recovers passwords – that is, these programs test passwords until they identify the correct one. The second removes the password entirely, leaving you free to set a new one.
In some cases you will want to recover the password rather than remove it even though removing it is quicker. Take the following situation: variants of a particular password were used for a desktop PC, a set of accounting files, a secondary account on a laptop, and several online financial services used by the business. Removing the password from any one of these will only get you access to that resource; to gain access to the others you’ll have to remove each of those passwords separately, and that may not always be possible. Instead, leverage the first password you discover to try unlocking the others. In addition, removing a password can be dangerous. If, for example, you remove the password from a Windows PC with EFS turned on you will lose access to the encrypted files created under that account.
The problem is that recovering a password can take a long time – days, even months. The reason: the way you recover a password is to set software churning through all the possible passwords until it finds the right one. The more information you can give the cracking software, the more you can cut down the time required to complete this exercise to a manageable amount.
The helpful thing here is the fact that many people choose passwords poorly. For this reason, ad-vises Peter Wood, chief executive of First Base Technologies, a consultant who has dealt with many such situations, it helps to marshal whatever facts are available about the person who set the password and the constraints that were in effect: name, birthday, spouse’s name, children’s names, pet names, company name, street, and town, the top sports teams of the year and so on. And don’t forget to check the obvious choices you hope your employees don’t use. Wood says the most common password he encounters in corporate settings is ‘password123’ or, if the system administrator requires a capital, ‘Password123’. Often, he adds, when people are required to change their passwords they just add another digit on the end.
Passwords and the Law
It is, of course, illegal under the Computer Misuse Act 1990 (cps.gov.uk/legal/a_to_c/computer_misuse_act_1990/#a09) to crack into other people’s computers and/or files without permission. It is also illegal under the copyright laws to circumvent digital rights management restrictions that prevent the copying of video, audio, and ebook files or that protect software programs.
However, suggestions that this made password cracking tools illegal have not been accepted by UK courts. Cracking the password of a client’s own machine or file is the digital equivalent of let-ting someone into their own home by picking the lock at their request.
“There’s no law against trying to decrypt your own files if you have forgotten the password or using a password cracker to access a computer, nor do you break the law if you do it for a third party, provided you have their consent,” says Peter Sommer, a professor at the London School of Economics who has acted as a computer-related expert witness since 1995 He warns: “If there is the slightest doubt about the situation, you would do well to have that in writing – the document doesn’t have to be particularly complex or formal, something along the lines of: ‘Please us your skill to decrypt the file anyfile.doc for me; I confirm that I am the owner of the file.’ or ‘Please use your skill to access this computer for me; I confirm that I am the legitimate user.” There would be no obligation on you as the decrypted to carry out elaborate further enquiries that the requester was indeed legitimate.”
Rule of thumb: when the password is being cracked by or on behalf of the owner of the files or machine, it’s password recovery and you’re fine; if it’s not it’s password cracking, and you’re on the wrong side of the law. Even if you’re using the same tools in both cases.
Top Password Tools
It’s worth noting that passwords on all versions of Windows through Windows Server 2003 were relatively easy to crack; given the right tools experts can get those in ten minutes or less. Starting with Vista, Microsoft fixed this particular vulnerability, and these days you have to work harder.
There are many software tools available to help with cracking, some free and some commercial products. In general price is not a reliable determinant of what the best tools are; you will find some excellent choices among the list of free software.
Before you start with any tool, make sure you’re not trying to crack a password on a live system that will lock you out after a set number of failures. Typically, password recovery software takes the hash in which the password is stored and works on that, so you should be safe. But the best idea is always to make a backup the software can work on and keep the original system intact.
For Windows passwords a good place to start is the widely used free program Ophcrack (oph-crack.sourceforge.net/), which runs on many platforms, so you don’t need access to Windows to use it. It is not the easiest program to use, but essentially you extract the hashed Windows password from the system and SAM files and the software uses downloadable rainbow tables to attempt to crack it by brute force. As already noted, the more you can constrain the search the better. The main Ophcrack site has instructions on how to do this.
An alternative is Cain & Abel (oxid.it/cain.html), also free, which uses a variety of methods to re-cover a wide range of passwords including network keys and encrypted passwords.
Sometimes you will just have to spend money. Few tools handle Microsoft Money; one of the exceptions, Elcomsoft (elcomsoft.com), is a comprehensive password recovery tool that handles all types of Microsoft Office files, plus Outlook, Sage, and archives such as ZIP and RAR, as well tools to retrieve cached Internet passwords and passwords protecting iPhones. The software isn’t cheap – the version of the Office recovery tool that handles Microsoft Money files costs $299. But it is well designed and very effective; configured to retrieve a seven-character password, a four-character mask, and a near starting point, it cracked the password of a Money file in about 24 hours.
Password Problem Prevention
Far better than having to crack a password is, of course, having a management system in place that prevents this type of crisis. For Windows Vista and 7 desktops, one option is to create a password reset disk. To do this you must be logged on via a local account. This strategy has its own risks, since anyone using the reset disk can gain access to the machine (and of course change its password).
For Microsoft Office and related documents, an alternative to password protection is Microsoft Information Rights Management (of-fice.microsoft.com/en-us/excel-help/information-rights-management-in-the-2007-microsoft-office-system-HA010102918.asp), which allows individuals and administrators to specify who may have access to documents (including email). Similarly, a SharePoint content management system will give you document security without the risk of losing access to files..
Where using passwords is a necessity, especially where users must deal with a multitude of complex ones conforming to a motley set of rules, a good option is to deploy a software tool that securely stores and protects passwords. Although of course it, too, will have to be pass-word-protected, one password is easier for a user to deal with than dozens or even hundreds. Password Safe (passwordsafe.sourceforge.net) creates a password store that’s is easily backed up, and you can set up a system whereby administrators store each other’s passwords inside their own password safes so they can be retrieved in case of emergency.
Top 6 Windows Password Recovery Tools
A good guide to free and ‘premium’ password tools of many types:
Excel password recovery
A handy tutorial on using Petri’s Office Password Recovery Utility to decrypt Excel spreadsheets:
Create a password reset disk
Microsoft’s instructions on creating a password reset disk for Vista:
Users Are Not the Enemy
A study commissioned by BT to find out why password reset requests are so common:
Surveys show that without guidance most people choose poorly when creating passwords, picking things that are easy to guess or crack – or, if forced to make them more complex and change them frequently, writing them down. The common 30-day rule was created at a time when the estimated time to run through all possible passwords on the mainframe being protected was a few months. It makes little sense in today’s networked world, in which the threats are very different.
Instead, encourage users to pick passphrases, such as two words joined together by a special symbol, or even pass sentences – the sentence format forces at least one capital. Or, if the system’s constraints won’t allow spaces or more than a relatively small number of letters, get them take the first letter of each word in a memorable sentence. Any of these options is harder to crack or guess and much easier for users to remember.
Of course, the better the password someone assigns, the harder it will be to gain access if they vanish without disclosing it, so centralised security and content management systems are a better choice for protecting business documents.
Setting password search options
Constraining the brute-force options in Elcomsoft’s Advanced Office Password Recovery software to search for passwords of seven letters or less, beginning with a 1, and starting at “1234any”.
Choosing the mode of operation. Brute-force tries all possible combinations; masking specifies known characters and their positions; dictionary limits the search to a known list that may include user-specific vocabulary.
Other functions allow cracking the password protecting Internet Explorer’s Content Advisor (and restoring it later), as well as passwords protecting Outlook, Passport, and Visual Basic for Applications files.