[Infowarrior] - L0phtcrack returns

[Richard Forno]

Seminal password tool rises from Symantec ashes

L0phtcrack returns

By Dan Goodin in San Francisco • Get more from this author

Posted in Enterprise Security, 27th May 2009 18:34 GMT

http://www.theregister.co.uk/2009/05/27/l0phtcrack_returns/

More than three years after Symantec unceremoniously pulled the plug  
on L0phtcrack, the seminal tool for auditing and cracking passwords is  
back with a set of new capabilities.

Starting Wednesday, L0phtcrack 6 is available from the same team of  
hackers who introduced it to the world a decade ago. The program was  
pulled from the market in late 2005 shortly after it was acquired by  
Symantec, presumably because its offensive capabilities didn't fit in  
with the company's portfolio of defensive products and services.

While programs like John the Ripper and Cain and Abel in many ways  
filled the void, L0phtcrack is credited with bringing awareness about  
password strength to the masses.

"It was one of the few tools that you could use to do password  
cracking that looked legitimate at the time," said HD Moore, founder  
of the Metasploit project. "It became fairly common for not only the  
pen testers and the assessment folks to use but also very common for  
system administrators to use to audit the passwords of their systems."

A lot has changed in the half decade that has passed since L0phtcrack  
5 was released, and many of those changes are reflected in the latest  
version. It adds support for x64 processors and the latest operating  
system releases from Microsoft, Ubuntu and others. It also brings  
sharp new teeth to cracking passwords that use the NTLM hash, an  
algorithm for protecting Windows pass phrases that has come into vogue  
in the past few years.

According to Moore, we largely have L0phtcrack to thank for the  
phasing out of a previous Microsoft password hash known as LAN  
Manager. The algorithm stored hashes in seven-character, case- 
insensitive chunks that made cracking especially easy.

"It really changed people's views on how they should develop secure  
passwords," Moore explained. "L0phtcrack is probably the number-one  
reason why people disabled LANMan hashes and actually picked passwords  
longer than 14 characters in corporations."

L0phtcrack's reincarnation comes after its creators from the L0pht  
hacker collective repurchased the program's rights from Symantec. The  
anti-virus provider had acquired them when it acquired @stake in 2004.  
@stake took control of the rights a year or so earlier when it merged  
with L0pht.

With a price starting at $295, it's by no means the cheapest password  
tool on the market, but L0phtcrack team member Christien Rioux says  
the features such as scheduling and a dashboard that simplifies the  
process of disabling users with weak passwords makes the program stand  
out.

"There are a number of enterprise administrative features that make  
the product worth it for organizations that are doing this on a  
regular basis," he said. "It's been a very long time that this has  
been out there. The benefit is that we've had the opportunity to  
interact and fix [customer] issues and take [in] their concerns." ®