Feeds

Seminal password tool rises from Symantec ashes

L0phtcrack returns

Website security in corporate America

More than three years after Symantec unceremoniously pulled the plug on L0phtcrack, the seminal tool for auditing and cracking passwords is back with a set of new capabilities.

Starting Wednesday, L0phtcrack 6 is available from the same team of hackers who introduced it to the world a decade ago. The program was pulled from the market in late 2005 shortly after it was acquired by Symantec, presumably because its offensive capabilities didn't fit in with the company's portfolio of defensive products and services.

While programs like John the Ripper and Cain and Abel in many ways filled the void, L0phtcrack is credited with bringing awareness about password strength to the masses.

"It was one of the few tools that you could use to do password cracking that looked legitimate at the time," said HD Moore, founder of the Metasploit project. "It became fairly common for not only the pen testers and the assessment folks to use but also very common for system administrators to use to audit the passwords of their systems."

A lot has changed in the half decade that has passed since L0phtcrack 5 was released, and many of those changes are reflected in the latest version. It adds support for x64 processors and the latest operating system releases from Microsoft, Ubuntu and others. It also brings sharp new teeth to cracking passwords that use the NTLM hash, an algorithm for protecting Windows pass phrases that has come into vogue in the past few years.

According to Moore, we largely have L0phtcrack to thank for the phasing out of a previous Microsoft password hash known as LAN Manager. The algorithm stored hashes in seven-character, case-insensitive chunks that made cracking especially easy.

"It really changed people's views on how they should develop secure passwords," Moore explained. "L0phtcrack is probably the number-one reason why people disabled LANMan hashes and actually picked passwords longer than 14 characters in corporations."

L0phtcrack's reincarnation comes after its creators from the L0pht hacker collective repurchased the program's rights from Symantec. The anti-virus provider had acquired them when it acquired @stake in 2004. @stake took control of the rights a year or so earlier when it merged with L0pht.

With a price starting at $295, it's by no means the cheapest password tool on the market, but L0phtcrack team member Christien Rioux says the features such as scheduling and a dashboard that simplifies the process of disabling users with weak passwords makes the program stand out.

"There are a number of enterprise administrative features that make the product worth it for organizations that are doing this on a regular basis," he said. "It's been a very long time that this has been out there. The benefit is that we've had the opportunity to interact and fix [customer] issues and take [in] their concerns." ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.