How to Prevent Cracking Windows User Account Password
The Security Account Manager (SAM), is a database file in Windows XP, Vista, 7, 8, 8.1 and Windows 10 and it's use for storing hashed copies of user's passwords. It can be used to authenticate local and remote users.
The user passwords are stored in a hashed format in SAM registry hive either as a LM hash or as a NTLM hash. This file can be found in %SystemRoot%/system32/config/SAM and is mounted on HKEY_LOCAL_MACHINE/SAM.
Hashing, a one way function, is used to convert your password into a string of characters of fixed length so that in case someone grabs the SAM file(which is easier than you think), the passwords cannot be known. The hashing methods used by Windows are the reason of criticism.
LM hashing is a very old method of Windows 95-era and is not used today. The inherent process of breaking down your password in two 7-character strings, made LM hashing vulnerable to brute force attacks. This was improved by the NTLM hashing method which used the more complex MD4 hashing technique. While this solved the earlier problem it was still not secure enough because of Rainbow Tables. A Rainbow Table is a literal table which contains pre-generated hashes for all possible password combinations for a given hash function.
Your best defense is password & encryption, which I have expanded in detail below.
Starting with the length, a long password is generally considered more secure. But how long is long enough? Researchers say that your password should be at least 12 characters long. But to be on the safer side, a 16+ character password is recommended. And please don’t set it as password12345678. It should be mix of lowercase, uppercase alphabets, numbers & symbols.
Second line of defense is using encryption. In Windows the encryption key is associated with your Windows Account Password, so even if someone resets the password, your stuff will not be accessible. You can use either the inbuilt encryption if you have Pro version of Windows or use any of the third party programs.
In Windows 10, Microsoft is using NTLMv2 hashing technique, which while doesn’t use salting but fixes some other critical flaws and overall offers more security. Even though it’s vulnerable, it has other security improvements like Windows Hello & Credential Guard.
In an attempt to improve the security of the SAM database against offline software cracking, Microsoft introduced the SYSKEY function in Windows NT 4.0. You can use the SysKey utility to additionally secure the SAM database by moving the SAM database encryption key off the Windows-based computer. The SysKey utility can also be used to configure a start-up password that must be entered to decrypt the system key so that Windows can access the SAM database. This tutorial describes how to use the SysKey utility to secure the Windows SAM database.
To open the SAM Lock Tool, press Windows + R keys and type syskey and hit Enter key.
Click on Update button, for the default option of Encryption enabled.
Select the Password Startup option, if you want to require a password to start Windows. Make sure you use a strong password – you can use one here which is 12 to 128 characters long.
If you choose to Store Startup Key Locally, it will store a key as a part of the operating system and no interaction is required from the user during system startup. If you chose this option, ie Store Startup Key Locally, and click OK, you will get a message saying that the Account database start-up key was changed.
Now every time your computer boots, if you had opted for the Password Startup option, you will be asked to enter a Startup Password, before you can proceed to log in using your login credentials.
If you select Store Startup Key on Floppy Disk, to store the system startup password on a floppy disk, you will be asked to insert your floppy or in our case the USB stick – no one uses a floppy these days – so you may use a USB stick.
Now to login in to your computer, you will need to insert the USB stick first, when you boot your computer. If you do not insert the USB stick, you will not be able to login. When you insert the USB stick, Windows loads the encryption key from drive ‘A’ – which is where you will have inserted your USB. If you have set a password, you will be asked to enter it, before you can proceed to enter your login credentials.
To disable SysKey, run SysKey again and this time choose to Store Startup Key Locally.
The SAM Lock Tool may not provide fool-proof security – at least not from professional hackers – but at least it is one additional layer of security.
The user passwords are stored in a hashed format in SAM registry hive either as a LM hash or as a NTLM hash. This file can be found in %SystemRoot%/system32/config/SAM and is mounted on HKEY_LOCAL_MACHINE/SAM.
Hashing, a one way function, is used to convert your password into a string of characters of fixed length so that in case someone grabs the SAM file(which is easier than you think), the passwords cannot be known. The hashing methods used by Windows are the reason of criticism.
LM hashing is a very old method of Windows 95-era and is not used today. The inherent process of breaking down your password in two 7-character strings, made LM hashing vulnerable to brute force attacks. This was improved by the NTLM hashing method which used the more complex MD4 hashing technique. While this solved the earlier problem it was still not secure enough because of Rainbow Tables. A Rainbow Table is a literal table which contains pre-generated hashes for all possible password combinations for a given hash function.
Your best defense is password & encryption, which I have expanded in detail below.
Starting with the length, a long password is generally considered more secure. But how long is long enough? Researchers say that your password should be at least 12 characters long. But to be on the safer side, a 16+ character password is recommended. And please don’t set it as password12345678. It should be mix of lowercase, uppercase alphabets, numbers & symbols.
Second line of defense is using encryption. In Windows the encryption key is associated with your Windows Account Password, so even if someone resets the password, your stuff will not be accessible. You can use either the inbuilt encryption if you have Pro version of Windows or use any of the third party programs.
In Windows 10, Microsoft is using NTLMv2 hashing technique, which while doesn’t use salting but fixes some other critical flaws and overall offers more security. Even though it’s vulnerable, it has other security improvements like Windows Hello & Credential Guard.
In an attempt to improve the security of the SAM database against offline software cracking, Microsoft introduced the SYSKEY function in Windows NT 4.0. You can use the SysKey utility to additionally secure the SAM database by moving the SAM database encryption key off the Windows-based computer. The SysKey utility can also be used to configure a start-up password that must be entered to decrypt the system key so that Windows can access the SAM database. This tutorial describes how to use the SysKey utility to secure the Windows SAM database.
To open the SAM Lock Tool, press Windows + R keys and type syskey and hit Enter key.
Click on Update button, for the default option of Encryption enabled.
Select the Password Startup option, if you want to require a password to start Windows. Make sure you use a strong password – you can use one here which is 12 to 128 characters long.
If you choose to Store Startup Key Locally, it will store a key as a part of the operating system and no interaction is required from the user during system startup. If you chose this option, ie Store Startup Key Locally, and click OK, you will get a message saying that the Account database start-up key was changed.
Now every time your computer boots, if you had opted for the Password Startup option, you will be asked to enter a Startup Password, before you can proceed to log in using your login credentials.
If you select Store Startup Key on Floppy Disk, to store the system startup password on a floppy disk, you will be asked to insert your floppy or in our case the USB stick – no one uses a floppy these days – so you may use a USB stick.
Note
It is important to note that the media has to be mounted on Drive A. Using Disk Management, you can ofcourse always first assign this drive letter to your USB thumb drive, before running SysKey.
Now to login in to your computer, you will need to insert the USB stick first, when you boot your computer. If you do not insert the USB stick, you will not be able to login. When you insert the USB stick, Windows loads the encryption key from drive ‘A’ – which is where you will have inserted your USB. If you have set a password, you will be asked to enter it, before you can proceed to enter your login credentials.
To disable SysKey, run SysKey again and this time choose to Store Startup Key Locally.
The SAM Lock Tool may not provide fool-proof security – at least not from professional hackers – but at least it is one additional layer of security.