# Passwords!



## Magnus (Sep 6, 2007)

What is the Actual reason WHY you see (****) instead of (pass)?
i know its for safety and such but what more? My teacher said that if i were at a helpdesk and said that, id fail -_-"  

i did try to wiki it but failed ;_;


----------



## net-cat (Sep 6, 2007)

To prevent people from looking over your shoulder and seeing your password.

Also, if you have to enter your password while your computer is attached to a projector.


----------



## Kobaruto (Sep 6, 2007)

net-cat said:
			
		

> To prevent people from looking over your shoulder and seeing your password.
> 
> Also, if you have to enter your password while your computer is attached to a projector.



This should've been obvious enough. I don't want people seeing my password as I enter it into a computer, even if I type 100WPM. Lol.


----------



## Magnus (Sep 6, 2007)

So there is not much of a secret behind it?
why is he forcing me to make a whole story about it ;_;


----------



## net-cat (Sep 6, 2007)

Nope, no big secret. Even in the old days, it was fairly trivial to write an asterisk to the output device in lieu of the actual character. (Although it was easier to just not output anything at all, but I guess people probably complained about that.)


----------



## yak (Sep 7, 2007)

What net-cat said, plus the inability to recover someone else's saved password from such field by copy-pasting. Well, supposed inability, as this is still possible in Windows via some hacks.


----------



## net-cat (Sep 7, 2007)

I would imagine that in _most_ operating systems, you can read the password text boxes directly from memory.


----------



## darkdoomer (Sep 12, 2007)

to avoid jews watching it while you enter your password / visa PIN


----------



## darkdoomer (Sep 12, 2007)

yak said:
			
		

> What net-cat said, plus the inability to recover someone else's saved password from such field by copy-pasting. Well, supposed inability, as this is still possible in Windows via some hacks.


true!
keyloggers, or boot from linux and start john the ripper. anything encrypted in windows/system32/config/ by syskey is vulnerable ,and other passwords can be simply foundin the registry for certain apps :mrgreen:


----------



## Ron Overdrive (Sep 16, 2007)

darkdoomer said:
			
		

> yak said:
> 
> 
> 
> ...



Actually at work we use this tool called NT Offline Password & Registry Recovery on The Ultimate Boot CD for Windows. Its basically a *nix tool that can read and edit the SAM file in the windows system directory. All we do is blank out the password, login into windows, and change the password. No real reason needed to crack the SAM file unless you want to cover your tracks for some reason.


----------



## net-cat (Sep 16, 2007)

On the rare occasion where the customer didn't give us the password or it's not easily guessable, we usually use a program called Ophcrack to recover Windows passwords. They have a live CD for download that is capable of cracking any alphanumeric password up to 14 characters long in Windows.

Although you'd be amazed at how many people actually type their passwords into the "Password Hint" field in XP.


----------



## Ron Overdrive (Sep 17, 2007)

net-cat said:
			
		

> On the rare occasion where the customer didn't give us the password or it's not easily guessable, we usually use a program called Ophcrack to recover Windows passwords. They have a live CD for download that is capable of cracking any alphanumeric password up to 14 characters long in Windows.
> 
> Although you'd be amazed at how many people actually type their passwords into the "Password Hint" field in XP.



Ophcrack is a great program and does the job so long as they didn't use special characters in the password. Unfortunately at work its a requirement to use special characters in our passwords so they're not easily crackable.


----------



## net-cat (Sep 17, 2007)

Well, it _can_ work on special characters, you just need the much bigger and non-free tables.

I work at a computer repair shop, and only about one in ten computers even have a password. Of those, only about one in ten have a special character.


----------



## Ron Overdrive (Sep 18, 2007)

net-cat said:
			
		

> Well, it _can_ work on special characters, you just need the much bigger and non-free tables.
> 
> I work at a computer repair shop, and only about one in ten computers even have a password. Of those, only about one in ten have a special character.



This is true when you're dealing with the public sector, but in the private sector of things like businesses, government, and university systems you tend to have 10 out of 10 systems are passworded and at least 50% have special characters if the user followed company policy. This is what I deal with on a regular basis. For me its easier and faster to just blank the password, do what I need to do, and issue a temp password with instructions for the user to change it when they get the machine back.


----------



## net-cat (Sep 18, 2007)

In any case, Ophcrack works by exploiting weaknesses in LMHASH.  I should hope that anything with even remotely sensitive data are disabling the use of LMHASH.


----------



## silvertwilight (Oct 7, 2007)

If im correct there is a firefox add-on to let you copy the astiriks of a password and paste it into a box to see the password
only works on a few sites though


----------



## Eevee (Oct 8, 2007)

Er, in Firefox it would be trivial.  Use DOM Inspector or anything similar to look at the password control's DOM node.

There are also programs that will probe the contents of a password control in any Windows application.


----------

