Writing for CNet, Robert Lemos recounts the efforts of Swiss cryptography researchers to
speed the cracking
of passwords on Windows-based PCs. At it turns out, applying the same methodology to cracking Mac OS X passwords will eventually yield results, but at a huge penalty of time or computer memory.
The system devised by the researchers involves the use of large lookup tables to match encoded passwords. What the researchers discovered is that some Windows operating systems have inherent weaknesses in the way they encode passwords that can make this brute-force methodology much faster.
“Windows passwords are not very good. The problem with Windows passwords is that they do not include any random information,” explained Philippe Oechslin, a senior research assistant and lecturer at the Cryptography and Security Laboratory of the Swiss Federal Institute of Technology in Lausanne.
Lemos said that Windows operating systems fail to employ a random element called a “salt” used to encode passwords. As a result, a determined cracker can create a large enough lookup table and break passwords on any Windows machine.
“Unix, Linux and the Mac OS X, however, add a 12-bit salt to the calculation, making any brute force attempt to break the encryption take 4,096 times longer or require 4,096 times more memory,” said Lemos.
Lemos suggests that the best defense against such a weakness is to add nonalphanumeric characters to a password — include symbols, for example. That adds another layer of complexity to the password that a determined cracker would have to work through.