How does bitdefender know if a password is weak?

Aluisious

2[H]4U
Joined
Mar 6, 2009
Messages
2,189
I recently installed bitdefender, and it's warning me my user password is weak. How does it know that? Isn't the password encrypted, or is Microsoft stupid enough to store it somewhere in plain text? Or is bitdefender keylogging?

edit: using Win 7 Pro
 
If I had to guess, probably the same way that any website/software package knows a password is weak (an algorithm of some sort). I doubt it's transmitted anywhere, but calculated on the fly instead
 
I am not typing my Windows user password into bitdefender. They shouldn't have access to it.
 
If your PC is not in a domain it is trivial for software to raid the local SAM file and either decrypt the password directly or profile it to make that recommendation. Offline ccess to data held within the SAM file had been going on for years now.
 
dr.stevil,

I think what he's trying to say is different then when you set a password on a website. When you enter a new password in a website, they are detecting what characters you are entering. What he is saying is that BitDefender is detecting his Windows credentials. I'm curious to hear an answer Aluisious, thanks for posting this.

EDIT: After reading this thread further, your answer is still applicable. Wasn't trying to be pedantic, I just wanted to make sure it was answered properly.
 
Last edited:
This isn't necessarily an MS fuckup. It is what it is. The 1st time you need to use an Offline crack program, you'll be glad this "feature" exists. Typically, the SAM file records the passwords as a hash that's difficult to completely decrypt, but based on that hash, BitDefender may have a algorithm that can detect bad passwords from the hash. I haven't seen that yet, but it seems possible.
 
Not even sure what an offline hack program is. Sounds like something that breaks into your computer if you forget your password?

I'm totally fine with my computer needing to be reinstalled if I forget my password. I damn near bricked my laptop when I forgot the password for a month worth of trying, and that's the way it should be.
 
It's trivial to use a boot disk to reset a local windows password, takes about 30 seconds.
 
It's trivial to use a boot disk to reset a local windows password, takes about 30 seconds.

except they only reset or override the existing password; they cannot tell you the existing password.
Unless you use something like ophcrack which still uses rainbow tables to crack the password.
 
Passwords less than 15 characters are trivial to crack the hash on (IE instant) - it might as well be plain text on the machine.

It's been a gaping hole in Windows security for a long time and no one seems to notice/care.
 
Windows password hashes stored in the SAM file can be reversed with pre-computed rainbow tables

This is the basis of how Ophcrack works, it wouldn't surprise me if bit defender was doing the same thing.
 
This isn't necessarily an MS fuckup. It is what it is. The 1st time you need to use an Offline crack program, you'll be glad this "feature" exists. Typically, the SAM file records the passwords as a hash that's difficult to completely decrypt, but based on that hash, BitDefender may have a algorithm that can detect bad passwords from the hash. I haven't seen that yet, but it seems possible.

The password doesn't need to be recoverable in order to provide the "feature" you mention. You can recover access by simply setting a new password hash.

It most certainly is an MS fuck up.
 
Windows password hashes stored in the SAM file can be reversed with pre-computed rainbow tables

This is the basis of how Ophcrack works, it wouldn't surprise me if bit defender was doing the same thing.

It's also entirely possible that it's just looking at the hash and saying "not long enough!" and making its determination. I know at least with older *NIX-type system the password was one-way encrypted, but with access to the machine you could easily get the password hash. You might not be able to decrypt it, but if the hash is 8 characters then it's probably not a good password (just as example). You don't need to crack anything for that.
 
It's also entirely possible that it's just looking at the hash and saying "not long enough!" and making its determination. I know at least with older *NIX-type system the password was one-way encrypted, but with access to the machine you could easily get the password hash. You might not be able to decrypt it, but if the hash is 8 characters then it's probably not a good password (just as example). You don't need to crack anything for that.

LM hashes and NT hashes are always 16-bytes long, a 4 character password and a 12 character password with both generate a 16 byte hash. Generally a hash function's output is a fixed length, and not a function of the input length.
 
LM hashes and NT hashes are always 16-bytes long, a 4 character password and a 12 character password with both generate a 16 byte hash. Generally a hash function's output is a fixed length, and not a function of the input length.

Ahh, makes sense. It's been a long time since I've looked at password files, and never Windows ones.
 
Back
Top