How does bitdefender know if a password is weak?

Aluisious

2[H]4U
Joined
Mar 6, 2009
Messages
2,189
I recently installed bitdefender, and it's warning me my user password is weak. How does it know that? Isn't the password encrypted, or is Microsoft stupid enough to store it somewhere in plain text? Or is bitdefender keylogging?

edit: using Win 7 Pro
 

dr.stevil

[H]F Junkie
Joined
Sep 26, 2008
Messages
9,157
If I had to guess, probably the same way that any website/software package knows a password is weak (an algorithm of some sort). I doubt it's transmitted anywhere, but calculated on the fly instead
 

Aluisious

2[H]4U
Joined
Mar 6, 2009
Messages
2,189
I am not typing my Windows user password into bitdefender. They shouldn't have access to it.
 

Nate7311

2[H]4U
Joined
Jan 11, 2001
Messages
3,320
If your PC is not in a domain it is trivial for software to raid the local SAM file and either decrypt the password directly or profile it to make that recommendation. Offline ccess to data held within the SAM file had been going on for years now.
 

Cmustang87

Supreme [H]ardness
Joined
Oct 4, 2007
Messages
4,498
dr.stevil,

I think what he's trying to say is different then when you set a password on a website. When you enter a new password in a website, they are detecting what characters you are entering. What he is saying is that BitDefender is detecting his Windows credentials. I'm curious to hear an answer Aluisious, thanks for posting this.

EDIT: After reading this thread further, your answer is still applicable. Wasn't trying to be pedantic, I just wanted to make sure it was answered properly.
 
Last edited:

Nate7311

2[H]4U
Joined
Jan 11, 2001
Messages
3,320
This isn't necessarily an MS fuckup. It is what it is. The 1st time you need to use an Offline crack program, you'll be glad this "feature" exists. Typically, the SAM file records the passwords as a hash that's difficult to completely decrypt, but based on that hash, BitDefender may have a algorithm that can detect bad passwords from the hash. I haven't seen that yet, but it seems possible.
 

Aluisious

2[H]4U
Joined
Mar 6, 2009
Messages
2,189
Not even sure what an offline hack program is. Sounds like something that breaks into your computer if you forget your password?

I'm totally fine with my computer needing to be reinstalled if I forget my password. I damn near bricked my laptop when I forgot the password for a month worth of trying, and that's the way it should be.
 

dave99

2[H]4U
Joined
Jan 20, 2011
Messages
2,129
It's trivial to use a boot disk to reset a local windows password, takes about 30 seconds.
 

gimp

[H]F Junkie
Joined
Jul 25, 2008
Messages
10,424
It's trivial to use a boot disk to reset a local windows password, takes about 30 seconds.

except they only reset or override the existing password; they cannot tell you the existing password.
Unless you use something like ophcrack which still uses rainbow tables to crack the password.
 

obrith

Limp Gawd
Joined
Jun 11, 2004
Messages
267
Passwords less than 15 characters are trivial to crack the hash on (IE instant) - it might as well be plain text on the machine.

It's been a gaping hole in Windows security for a long time and no one seems to notice/care.
 

devman

2[H]4U
Joined
Dec 3, 2005
Messages
2,400
Windows password hashes stored in the SAM file can be reversed with pre-computed rainbow tables

This is the basis of how Ophcrack works, it wouldn't surprise me if bit defender was doing the same thing.
 

devman

2[H]4U
Joined
Dec 3, 2005
Messages
2,400
This isn't necessarily an MS fuckup. It is what it is. The 1st time you need to use an Offline crack program, you'll be glad this "feature" exists. Typically, the SAM file records the passwords as a hash that's difficult to completely decrypt, but based on that hash, BitDefender may have a algorithm that can detect bad passwords from the hash. I haven't seen that yet, but it seems possible.

The password doesn't need to be recoverable in order to provide the "feature" you mention. You can recover access by simply setting a new password hash.

It most certainly is an MS fuck up.
 

iroc409

[H]ard|Gawd
Joined
Jun 17, 2006
Messages
1,364
Windows password hashes stored in the SAM file can be reversed with pre-computed rainbow tables

This is the basis of how Ophcrack works, it wouldn't surprise me if bit defender was doing the same thing.

It's also entirely possible that it's just looking at the hash and saying "not long enough!" and making its determination. I know at least with older *NIX-type system the password was one-way encrypted, but with access to the machine you could easily get the password hash. You might not be able to decrypt it, but if the hash is 8 characters then it's probably not a good password (just as example). You don't need to crack anything for that.
 

devman

2[H]4U
Joined
Dec 3, 2005
Messages
2,400
It's also entirely possible that it's just looking at the hash and saying "not long enough!" and making its determination. I know at least with older *NIX-type system the password was one-way encrypted, but with access to the machine you could easily get the password hash. You might not be able to decrypt it, but if the hash is 8 characters then it's probably not a good password (just as example). You don't need to crack anything for that.

LM hashes and NT hashes are always 16-bytes long, a 4 character password and a 12 character password with both generate a 16 byte hash. Generally a hash function's output is a fixed length, and not a function of the input length.
 

iroc409

[H]ard|Gawd
Joined
Jun 17, 2006
Messages
1,364
LM hashes and NT hashes are always 16-bytes long, a 4 character password and a 12 character password with both generate a 16 byte hash. Generally a hash function's output is a fixed length, and not a function of the input length.

Ahh, makes sense. It's been a long time since I've looked at password files, and never Windows ones.
 
Top