Forgotten Windows Password

Recently at work a server lost contact with it's domain which invalidated all domain accounts on the machine.  So the only way to login was using a local account, of which there was only one - the local administrator.  The problem is, no one knew the password, it had been almost a decade since the local admin account had been last used.  So is there a way to recover from this type of problem?  Turns out the answer is yes - and it's so easy it's almost scary.

What you need is a program called OphCrack.  Windows stores users passwords as hashes, and OphCrack cracks the password by comparing the password hash against pre-generated hashes stored in what they call "rainbow tables."  OphCrack can be run in two different ways.  Probably the most common is from a "live CD."  Once you burn the CD you boot the computer from that CD, from there OphCrack does everything automatically - it finds the registry hives storing the password hashes, begins the cracking process, and displays the results.  The other way to run OphCrack is on your computer directly.  This is useful if you can login to one account but need to crack another account's password.  You can also load up the registry hives of a computer - I believe it requires the SYSTEM, SAM, and SECURITY registry hives.

The scary thing is how quickly and easily OphCrack can work its magic.  Using the default tables it was able to crack the password in 7 minutes and 2 seconds!

There are other methods to crack your password, or otherwise login to an account without knowing the password.  But OphCrack is the easiest and least invasive I've seen.


I wanted to be clear here, this is not a security flaw in Windows.  Similar software exists for Linux and Mac, so anyone computer can be hacked into.  It's taking advantage of your relatively weak password.  If you're paranoid about this type of thing, what can you do to prevent it?  Below are some tips that will help prevent this type of attack (if you're concerned about such things).

1. Use disk encryption.  Windows, Linux, and Mac all have software that can encrypt the disk.
2. Use long passwords and at least one symbol or extended character.  OphCrack works by having pre-calculated hashes for shorter passwords (up to about 10 characters) and using letters and numbers.  Since this covers 99% of the passwords people use, this works most of the time.  But if your password is longer and uses special characters (e.g. '^' and '&') the possible number of passwords increases exponentially and so does the time to crack.
3. Do whatever you can to ensure physical security of the computer.  Once someone has physical access to your computer, there's almost no stopping them.  Even if you have a long password, they may not be able to crack your password but they can still access your files (unless you used disk encryption).  Of course, if your computer is a laptop, tablet, or phone and you lose it or it's stolen - well consider your data compromised.

OphCrack is a cool little program that helped us login to this server.  Tools like this are not merely "hacking" tools but they do have useful purposes.