Google Answers: Windows XP Password Cache

View Question

Q: Windows XP Password Cache ( No Answer, 1 Comment )

Question

Subject: Windows XP Password Cache
Category: Computers > Operating Systems
Asked by: skip9801-ga
List Price: $10.00

Posted: 10 Jun 2006 06:06 PDT
Expires: 10 Jul 2006 06:06 PDT
Question ID: 736968

Does a windows xp workstation store the local account password in a
cache somewhere on the workstation?  If so, where is it storec and is
there a good way to secure it?

Answer

There is no answer at this time.

Comments

Subject: Re: Windows XP Password Cache
From: aldojj-ga on 16 Jun 2006 02:46 PDT

windows does not store local account password, but it does store a
hash value, also know as digital "fingerprint" 128 bit, of the
password. A hash is oneway math function that accept a string in
input, in our case a password, and provide an value in output, the
hash value. A hash function has some properties:
1) from a hash value it is computationally hard, we assume impossible,
to retrieve the input string
2) two different input string will most certainly, we assume
certainly, produce two different hash value

Windows stores hash values in the SAM file located in 
C:\WINDOWS\system32\config\SAM
This file is encrypted and locked by windows. So, AFAIK, it's already
protected at best.

The same file is also located in C:\Windows\Repair for back up purpose
and it is not locked but it access is protected via ACL, this can be a
problem if someone/program run with administrative privilege

When ever our password is required the logon box appears and we type
in the password, the box applies the hash function to it and forwards
the hash to the security subsytem that read the hash for that user in
the SAM and compares the two values. If they match you we are
authenticated.

What are the risks we should be aware?

1) AFAIK the only way to obtain a pwd from a hash value is to use a
bute force.That is, use a huge password dictionary and apply the hash
function on every pwd, if the hash value match the first hash value
than you have the password.

2) How can the hash value be obtained?
	-)grab the SAM file and decrypt it, this means having access to the
machine. Note that when an machine is physically accessible any
security system is vain. One can boot with a DOS disk and access the
file system. Years ago I used a linux boot disk and then overwrite the
administrator password with a new one.
	-) if you run ad administrator than it is suffocate that a program do
this. So, if you can use a simple user without admin privileges
	-)in a network obtain the hash by sniffing the network. But I don't
know how exactly this work and guess it is not easy.

Keep in mind that  the info provided are not complete hence there can
be other security facts that you should be concerned about in order to
be secure

HTH,
Al

PS: some passwords, not local account, are stored in the registry. Use
http://www.forensicideas.com/tools.html to check what you have there

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.

Search Google Answers for

Google Home - Answers FAQ - Terms of Service - Privacy Policy