peter811 - 1/25/2006 8:20 PM
It doesn't take alot of skill to crack a password, all you really need is a good piece of software and time.
I used to reset windows and bios passwords all the time!
I would reset the cmos which would reset the bios. Then I was able to find a Linux based boot disk that would allow me to reset the Windows passwords.
True - resetting passwords doesn't take any skill, just administrator rights *or* physical access to the domain controller. I've done that plenty of times in the case of lost or forgotten passwords. But the user knows right away that his password has been changed, so it's not as useful from an espionage point of view. As you pointed out, actually cracking the user's password takes either good software or a lot of time, and the better the software, the less time it takes.
In the case of my password, the audit team must have been using VERY good software, because with a ten-character password, assuming that each character can be one of about 80 characters (26 uppercase letters, 26 lowercase letters, ten numbers, and eighteen or so punctuation and special characters), that gives so many possible combinations that even if they could test 10,000 possibilities a second, it would take over 17 million years to check just half of them.
This leads me to believe that the testers probably made some intelligent assumptions about my password that allowed them to reduce the number of possiblities they had to check. Maybe they assumed that there won't be more than one or two capital letters, or more than one or two numbers or special characters in the password. Or maybe they guessed that the numbers and/or capital letters would be concentrated at the beginning and end of the password.
Deciding how to intelligently reduce the number of possiblities is probably where the skill comes into play.