password recovery source code?

[badbadtz560]

Let me know if this is deemed inappropriate. I'm asking this for my classwork.. and I don't think these programs can be used to hack w/o physical access anyway.

I'm doing a final presentation for my network security class and like the idea of password security (and why you just shouldn't store passwords anywhere except your own noggin ). However, one big thing that I'm looking at is password recovery tools. I've got several working ones, but is there any way I can get some example code of how these programs decrypt the files?

I need a part where I can say something to this effect: as you can see from this code, this line shows program-x applying y to decrypt the password from the z-account by using the password storage file found in the installation folder.

It'd be my guess that these programs simply search out specific files in their default folders and decrypt the passwords out of these files... but I just can't find any code that proves it. Can anyone help me out? (preferably w/ a password recovery that would work .. and code that goes with it?)

BTW, i'm familiar w/ john the ripper and such programs that can be used to guess passwords in a brute-type method.. but those take time to use whereas these recovery ones are instant.. I'm thinking they use a set/known decryption algorithm instead of guessing.

 

[badbadtz560]

I found some code. thx anyway

 

[RebateMonger]

Originally posted by: badbadtz560
...and why you just shouldn't store passwords anywhere except your own noggin.

In general, I don't think that's possible. Nobody can remember the multitude of passwords required in today's world. So, if they don't write anything down, they are stuck with using a single password everywhere, and with making only simple modifications to that password when required to change it. "Password1" becomes "Password2".

While long "Pass-phrases" help fight cracking and make memorization easier, it's still necessary to keep passwords somewhere else but in your mind.

Alternatives include password management systems, encrypted spreadsheets containing password lists, and Multi-Factor Authentication methods (such as SmartCards).

 

[lxskllr]

I keep mine in my head. I have about 6 that I use regularly. They range from simple to complex depending on the security need.

 

[Modelworks]

I have only 2 passwords.
1 is used for forums and such, other for banking.
The first is only 8 digits.
The second is 10 digits with mixed letters and symbols.

If your interested in ways to protect accounts on a network , I think the best way is to limit attempts at entering the correct password to 3 times.
Makes it very hard to use a password recovery tool .

Most password recovery tools are brute force, usually doing a dictionary search first.
So many people use words found in the dictionary.

 

[kamper]

Originally posted by: Modelworks
If your interested in ways to protect accounts on a network , I think the best way is to limit attempts at entering the correct password to 3 times.
Makes it very hard to use a password recovery tool .

If you're talking about locking out the account after 3 failed attempts, this is a bad idea. I frequently see people effectively knocking out their own servers because they do this to 'improve security'. If you have good passwords, a network based attack is probably infeasible. Even with only decent passwords, stalling attempts to 1 every second per ip or something is probably also makes it infeasible to brute force. Any sort of lockout policy means that a hacker only has to know a user name to DoS you.