Security Web Digest: Windows Passwords Insecure
Researchers discover memory-intensive, but fast cracking method
Enterprise Swiss researchers released a paper this week outlining a way to speed the cracking of alphanumeric Windows passwords, reducing the time to break such codes to an average of 13.6 seconds, from 1 minute 41 seconds. The method involves using large lookup tables to match encoded passwords to the original text entered by a person, thus speeding the calculations required to break the codes. Called a time-memory trade-off, the situation means that an attacker with an abundance of computer memory can reduce the time it takes to break a secret code. Microsofts manner for encoding passwords has certain weaknesses that make such techniques particularly effective,said Philippe Oechslin, a senior research assistant and lecturer at the Cryptography and Security Laboratory of the Swiss Federal Institute ofTechnology in Lausanne (EPFL). Microsoft Corp.s chief security strategist, Scott Charney, on Thursday told members of the U.S. House Armed Services Committee that a robust security response capability and effective risk management are critical because software vulnerabilities will continue to be unavoidable regardless of the type of operating system used. His appearance comes nearly a month after the Department of Homeland Security signed an exclusive enterprise contract with Microsoft covering server and desktop software for approximately 140,000 users. News of the deal led some experts to warn that the new homeland security agency had made itself a "hostage" of flawed Microsoft security practices. Others, including Rep.Mac Thornberry (R-Texas), expressed concern about the governments reliance on a single vendor for the majority of its software infrastructure -- a situation some have warned could make it easier for hackers and criminals to cause damage to networks and data.
Authentica Inc. this week introduced PageRecall 3.1, the latest version of its secure document program that ensures that the content is always secure no matter where it is distributed or stored, the company said in a statement. "Rights management technology is the only solution that can enable content sharing, but at the same time protect against unauthorized access and use of information once it is delivered," said Victor DeMarines, director of marketing at Authentica. PageRecall 3.1 adds new functionality, including a way to prevent screen capture applications from working.