Feeds

Seminal password tool rises from Symantec ashes

L0phtcrack returns

The Power of One eBook: Top reasons to choose HP BladeSystem

More than three years after Symantec unceremoniously pulled the plug on L0phtcrack, the seminal tool for auditing and cracking passwords is back with a set of new capabilities.

Starting Wednesday, L0phtcrack 6 is available from the same team of hackers who introduced it to the world a decade ago. The program was pulled from the market in late 2005 shortly after it was acquired by Symantec, presumably because its offensive capabilities didn't fit in with the company's portfolio of defensive products and services.

While programs like John the Ripper and Cain and Abel in many ways filled the void, L0phtcrack is credited with bringing awareness about password strength to the masses.

"It was one of the few tools that you could use to do password cracking that looked legitimate at the time," said HD Moore, founder of the Metasploit project. "It became fairly common for not only the pen testers and the assessment folks to use but also very common for system administrators to use to audit the passwords of their systems."

A lot has changed in the half decade that has passed since L0phtcrack 5 was released, and many of those changes are reflected in the latest version. It adds support for x64 processors and the latest operating system releases from Microsoft, Ubuntu and others. It also brings sharp new teeth to cracking passwords that use the NTLM hash, an algorithm for protecting Windows pass phrases that has come into vogue in the past few years.

According to Moore, we largely have L0phtcrack to thank for the phasing out of a previous Microsoft password hash known as LAN Manager. The algorithm stored hashes in seven-character, case-insensitive chunks that made cracking especially easy.

"It really changed people's views on how they should develop secure passwords," Moore explained. "L0phtcrack is probably the number-one reason why people disabled LANMan hashes and actually picked passwords longer than 14 characters in corporations."

L0phtcrack's reincarnation comes after its creators from the L0pht hacker collective repurchased the program's rights from Symantec. The anti-virus provider had acquired them when it acquired @stake in 2004. @stake took control of the rights a year or so earlier when it merged with L0pht.

With a price starting at $295, it's by no means the cheapest password tool on the market, but L0phtcrack team member Christien Rioux says the features such as scheduling and a dashboard that simplifies the process of disabling users with weak passwords makes the program stand out.

"There are a number of enterprise administrative features that make the product worth it for organizations that are doing this on a regular basis," he said. "It's been a very long time that this has been out there. The benefit is that we've had the opportunity to interact and fix [customer] issues and take [in] their concerns." ®

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.