Symantec Pulls Plug on L0phtCrack

The Internet security vendor discontinues sales of the well-known password cracking application.

Symantec has quietly pulled the plug on sales of L0phtCrack, the venerable password auditing and recovery application.

The decision to discontinue support for L0phtCrack, also known as LC5, comes just months after Symantec stopped selling the application to customers outside the United States and Canada out of concerns that it violated cryptography export controls.

The Cupertino, Calif.-based security vendor could not be reached for comment on the decision, but a note sent to existing L0phtCraft users said the product did not fit into Symantecs plans for the future.

The ship date of L0phtCraft was Mar. 3, 2006 and Symantec will offer customer help until Dec. 16, 2006. The company will not be shipping any product code updates, enhancements or fixes to L0phtCraft after March 3.

/zimages/2/28571.gifEncrypted lockbox aims to clean up password clutter. Click here to read more.

"Symantec will continue to use reasonable commercial efforts to provide available customer support by e-mail to U.S. and Canada based customers who purchased L0phtCrack (LC) products," the note read.

"As a courtesy to LC customers, we offer customer help via e-mail regarding product usability inquiries through December 16, 2006," the note added.

Rick Fleming, chief technical officer at security risk assessment firm Digital Defense said the end of Symantec support for L0phtCraft support isnt a big surprise.

"There was always going to be a double-edged sword for Symantec. L0phtCraft is valuable as a good password-strength auditing tool but its also popular with [malicious] hackers who used it to break passwords and attack networks," Fleming said in an interview with eWEEK.

He said Digital Defense used L0phtCraft in its penetrating testing products to identify and remediate security vulnerabilities that result from the use of weak or easily guessed passwords.

L0phtCraft can also be used to recover Windows and Unix account passwords to access user and administrator accounts whose passwords are lost or to streamline migration of users to newer authentication systems.

/zimages/2/28571.gifSymantec buys security consulting pioneer @stake. Click here to read more.

L0phtCrack was originally produced by the L0pht, the Boston, Mass.-based security research group founded by Peiter "Mudge" Zatko and Chris "Weld Pond" Wysopal.

It combines several password cracking techniques, including dictionary, brute-force and hybrid attacks and became one of the most widely used in the hacker community.

In 2000, L0pht merged with security research outfit @stake and continued to produce L0phtCraft until 2004 when Symantec bought @stake.

There are several alternative password auditing tools available, including John the Ripper, RainbowCrack and Cain and Abel.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.