Earthweb
Images Events Jobs Premium Services Media Kit Network Map E-mail Offers Vendor Solutions Webcasts
 SUBJECTS:
 FEATURES:
IT Management Webcasts:
The Role of Security in IT Service Management

Preparing for an IT Audit

More Webcasts


Search EarthWeb Network

internet.commerce
Be a Commerce Partner
GPS Devices
Data Center Solutions
Web Hosting Directory
Computer Hardware
Shop Online
Rackmount LCD Monitor
Corporate Gifts
Cell Phones
Imprinted Gifts
Phone Cards
Disney World Tickets
GPS
Career Education
KVM Switches

Linked Data Planet Conference & Expo

IT Management : Columns : Executive Tech: Password Protection? Surely You're Joking!

Hyper-V: The Killer Feature in Windows Server 2008
It's fair to say that while many of the other new features are evolutionary, Hyper-V, by contrast, is revolutionary. Paul Rubens explores Microsoft's big step into virtualization. »

 
Download the Windows Server 2008 Trial
With Windows Server 2008 you can develop, deliver, and manage rich user experiences and applications, provide a secure network infrastructure, and increase technological efficiency and value within your organization. »

 
Reduce Complexity and Costs with Microsoft Identity and Access Solutions
Your organization depends on making digital information accessible to a broad spectrum of users over range of devices and networks. Register now for free Identity and Access Solutions from Microsoft. »

 
Virtualization from the Data Center to the Desktop
Integrated virtualization solutions from Microsoft can help you meet evolving demands more effectively as you transform your IT infrastructure from a cost center to a strategic business asset. »

Related Articles
Scan Any Document Without Even Being in the Room
Trash Your Drive? Now You Can Have a Do-Over
Are You Wasting Backup Time?
Fix Windows Without Patching
Pop-ups Are Coming to Screens Near You
How Many Pop-ups Can a Pop-up Stopper Stop?
- ITSMWatch Newsletter -
Tech Focus: Security

Cybersecurity: Laws Only Go So Far

Mozilla Firefox vs. Internet Explorer: Which is Safer?

Is Your Blog Leaking Trade Secrets?

The Las Vegas Counterfeiting Story: Is Your Privacy Worth More Than a Poker Chip?

Stopping Spammers at The Point of Sale

Product Watch
PacketLogic - Packet Inspection Platform Provides Traffic Shaping and Filtering Features
VMware Infrastructure - Core Components for Data Center Virtualization
Small Business Publisher - Print Flyers, Letterheads, Envelopes and More
IOGEAR KVM - Includes Audio/Peripheral Sharing
Coverity Prevent / Coverity Thread Analyzer - Analyze Source Code For Defects, Security Vulnerabilities

more products >>

Datamation Definitions
data mining
ERP
extranet
grid computing
intranet
network appliance
outsourcing
storage
VPN
virus
FREE Tech Newsletters

Windows Server Catalog: Certified Hardware Devices. Search the Windows Server 2008 catalog to find solutions to deploy with confidence.

Password Protection? Surely You're Joking!
March 29, 2004
By Brian Livingston

Brian Livingston Around the world, millions of people are saving sensitive, confidential documents in Microsoft Office and trying to protect them with passwords.

A different set of people around the world are using remarkably simple tools to analyze these documents and open them — without knowing the passwords.

Are you part of the first group or the second? What you'll learn in this article may forever change how you look at password protection.

Password Cracking Tools Are Just a Download Away

A major player in "password recovery utilities" is an international company known as Passware, with offices in Tallinn, Estonia, and Moscow, Russia. The firm's flagship product, Passware Kit Enterprise 6.0, is a veritable Swiss Army Knife that can crack the passwords of almost any software you can think of:

Office Applications. The kit includes modules to break the passwords of all versions of Microsoft Office. The company is particularly proud of its support for the latest Office 2003 releases, including password cracking of Microsoft Word, Excel, Access, Outlook, and VBA (Visual Basic for Applications).

Windows Administrator Passwords. Microsoft Windows, of course, uses passwords to control Administrator access, and Passware hasn't neglected this aspect of security. Its module for Windows NT, 2000, XP, and 2003, the company says, can reset the login string to anything you like if you don't happen to have a machine's Administrator password, secure-boot password, or key disk.

Vertical-Market Software. Besides accessing Microsoft file formats, Passware claims its kit's more specialized modules can recover the passwords of files created by Quicken, QuickBooks, Peachtree, Lotus Notes, Acrobat, and many other applications. Numerous enterprises rely upon password-protected ZIP files — Passware says its software can decrypt most WinZip archives in under one hour.

Recovering Corrupt NTFS Encryption. The company's latest revision, Passware Kit Enterprise 6.1, is so new that it doesn't even have a press release yet (this article is its first mainstream media exposure). But you may be hearing more about it in the future. Its most important new feature is the ability to access the EFS (Encrypted File System) of NTFS — the storage standard Microsoft uses in Windows 2000, XP, and 2003 — from a second hard drive.

White-Hat Password Recovery

The latter capability deserves a longer explanation. NTFS password recovery has a legitimate purpose, as do several other Passware features. Every IT administrator's worst nightmare is to have encrypted a Windows 2000/XP/2003 hard drive, but later on lose the ability to input the password because of disk corruption. With Passware Kit, you can remove the corrupt drive from one machine, make it the secondary drive in another, and (if you know the original Administrator password) read the encrypted files just as before.

Passware Kit Enterprise sells for $595 at the company's Web site. A trial version of the company's software is the most popular of 43 downloads in the "password recovery" category at Tucows, a well-known shareware site. In addition, another Passware product, a totally free download called Asterisk Key, reveals the plain-text passwords that are ordinarily hidden beneath blobs in Windows dialog boxes. That all adds up to a lot of passwords that the people downloading these products are finding.

Dmitry Konevnik, Passware's customer service manager, told me in a telephone interview from his office in Moscow that Microsoft's password-protection schemes have built-in weaknesses. "The encryption key they use to encrypt the files is too short," Konevnik says. "The key is 40 bits long. It takes less time for us to simply brute-force all the keys than for us to brute-force all the possible passwords."

What Was That Password Again? Oops, I Forgot

Passware's software arguably gets more buyers from the authorized creators of password-protected files than from cloak-and-dagger, corporate espionage types. That's because the authorized users forget their carefully-chosen passwords, or employees move on, keeping in their heads the passwords of vital documents. At that point, IT professionals start looking for downloadable tools that can discover the original passwords or just reset them to some desired value.

People subconsciously want to be able to open a document if they forget the password — rather than take the risk of creating totally uncrackable files that can never be accessed if the code is lost.

But if you're the kind of executive who wants password-protected files that aren't trivial to break, Konevnik has good advice for you. "You should use additional cryptographic providers," he says, not just the default password methods offered by Microsoft and other software vendors.

For example, you can create a Microsoft Word document that even Passware couldn't break into for years, if ever. To do this in Word 2003, click File, Save As, then pull down the little-known Tools menu and choose Security Options. Clicking the Advanced button on the resulting dialog box gives you a choice of several "providers" or methods of encrypting the file. Selecting any method that uses 128-bit encryption gives you much stronger protection than Microsoft's default 40-bit key. "This increases the brute-force difficulty by thousands of times," Konevnik says.

That should be plenty of security for anyone, aside from the CIA. But you can store encrypted files on password-protected removable disks to add yet another layer of protection for absolute confidence. Some portable media, such as Iomega Corp.'s ZIP disks, offer password protection. The older 100 MB disks can be hacked, but specialized recovery consultants such as PWCrack.com say passwords on the 250 MB ZIP disks cannot be discovered or removed.

Conclusion

If your company password-protects its documents, thinking that this is a sure-fire defense against inquisitive intruders, you need to educate yourself on the tools that are now available to sweep encryption off almost any file.

If it's important for you to encrypt a document, it's important enough to do it right.

Brian Livingston is the editor of WindowsSecrets.com and the co-author of Windows Vista Secrets and 10 other books. Send story ideas to him via his contact page. To subscribe free and receive Executive Tech via e-mail, visit our signup page.

Tools:
Add itmanagement.earthweb.com to your favorites
Add itmanagement.earthweb.com to your browser search box
IE 7 | Firefox 2.0 | Firefox 1.5.x
Receive news via our XML/RSS feed

Executive Tech Archives



JupiterOnlineMedia

internet.comearthweb.comDevx.commediabistro.comGraphics.com

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info


Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers

Solutions
Whitepapers and eBooks
Microsoft Article: Will Hyper-V Make VMware This Decade's Netscape?
Microsoft Article: 7.0, Microsoft's Lucky Version?
Microsoft Article: Hyper-V--The Killer Feature in Windows Server 2008
Avaya Article: How to Feed Data into the Avaya Event Processor
Microsoft Article: Install What You Need with Windows Server 2008
HP eBook: Putting the Green into IT
Whitepaper: HP Integrated Citrix XenServer for HP ProLiant Servers
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 1
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 2--The Future of Concurrency
Avaya Article: Setting Up a SIP A/S Development Environment
IBM Article: How Cool Is Your Data Center?
Microsoft Article: Managing Virtual Machines with Microsoft System Center
HP eBook: Storage Networking , Part 1
Microsoft Article: Solving Data Center Complexity with Microsoft System Center Configuration Manager 2007
MORE WHITEPAPERS, EBOOKS, AND ARTICLES
Webcasts
Intel Video: Are Multi-core Processors Here to Stay?
On-Demand Webcast: Five Virtualization Trends to Watch
HP Video: Page Cost Calculator
Intel Video: APIs for Parallel Programming
HP Webcast: Storage Is Changing Fast - Be Ready or Be Left Behind
Microsoft Silverlight Video: Creating Fading Controls with Expression Design and Expression Blend 2
MORE WEBCASTS, PODCASTS, AND VIDEOS
Downloads and eKits
Sun Download: Solaris 8 Migration Assistant
Sybase Download: SQL Anywhere Developer Edition
Red Gate Download: SQL Backup Pro and free DBA Best Practices eBook
Red Gate Download: SQL Compare Pro 6
Iron Speed Designer Application Generator
MORE DOWNLOADS, EKITS, AND FREE TRIALS
Tutorials and Demos
How-to-Article: Preparing for Hyper-Threading Technology and Dual Core Technology
eTouch PDF: Conquering the Tyranny of E-Mail and Word Processors
IBM Article: Collaborating in the High-Performance Workplace
HP Demo: StorageWorks EVA4400
Intel Featured Algorhythm: Intel Threading Building Blocks--The Pipeline Class
Microsoft How-to Article: Get Going with Silverlight and Windows Live
MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES