Getting the Windows Password in an ecrypted form

  • Thread starter Thread starter buerklma
  • Start date Start date
B

buerklma

Hi NG,

is there a way to get the Windows Password of a user in an encrypted
form?
In my logon process I want to check the current (windows) user and
password. If they fits no logon screen will be displayed and the
program starts.

Has somebody an idea how to get it?

Thanks in advance

Regards
Martin
 
Hello, (e-mail address removed)!

There is no need to compare passwords, just compare names.

Use WindowsIdentity.GetCurrent().Name and compare this name with
the one you store in your application.

WindowsIdentity.GetCurrent() - returns WindowsIdentity object that
represents
the current Windows user, the user who has logged on already.

You wrote on Mon, 11 Jun 2007 23:34:12 -0700:

b> Hi NG,

b> is there a way to get the Windows Password of a user in an encrypted
b> form?
b> In my logon process I want to check the current (windows) user and
b> password. If they fits no logon screen will be displayed and the
b> program starts.

b> Has somebody an idea how to get it?

b> Thanks in advance

b> Regards
b> Martin


With best regards, Vadym Stetsyak.
Blog: http://vadmyst.blogspot.com
 
Vadym Stetsyak said:
Hello, (e-mail address removed)!

There is no need to compare passwords, just compare names.
Click to expand...

Of course there a situations to compare passwords. When you want to
change your current password you usually have to retype the old one to
make sure that the legitimate user sits in front of the computer and
not someone else.

Hans
 
Hi NG,

is there a way to get the Windows Password of a user in an encrypted
form?
In my logon process I want to check the current (windows) user and
password. If they fits no logon screen will be displayed and the
program starts.

Has somebody an idea how to get it?

Thanks in advance

Regards
Martin
Click to expand...

Windows password are stored in a file (it's name is SAM), cant recall
the name, and they are encrypted, so you need
1. Read windows partition from Linux or DOS
2. Take the password file
3. Use a brute-force password recovery app, to TRY to find some of the
passwords

As you can see, theres no way to read these passwords from C# or any
other language, even If you could read the file on real time (you
cant, windows blocks it, thats the reason of step 1 mentioned before),
you would still have to try and find the password through brute force,
which is, time/resources consuming, you could spend 24 hours in a row
trying to get a password and either succeed or not, depending on the
complexity of the password (aka, lenght, different characters, and so
on..)

You can view also here to know how windows store passowrds and where:
http://www.tech-faq.com/windows-password-file.shtml
http://us1.samba.org/samba/ftp/pwdump/
 
Hello, Hans-J.!

It, really depends on your application. If it uses Windows accounts
(identities) then there is no
need for password comparison. If user wants to change the password she
changes windows password.
So, Windows does all the job, you have only to check the identity of logged
in user

OTOH if your application has custom passwords system, then you're on your
own how you
will manage passwords and authenticate users.

Maybe if you will share with us what's the application is. Is it desktop or
web app?
Give more background.

You wrote on Tue, 12 Jun 2007 09:56:36 +0200:


HJU> Of course there a situations to compare passwords. When you want to
HJU> change your current password you usually have to retype the old one
HJU> to
HJU> make sure that the legitimate user sits in front of the computer
HJU> and
HJU> not someone else.

HJU> Hans

With best regards, Vadym Stetsyak.
Blog: http://vadmyst.blogspot.com
 
Vadym Stetsyak said:
Hello, Hans-J.!

It, really depends on your application. If it uses Windows accounts
(identities) then there is no
need for password comparison. If user wants to change the password she
changes windows password.
So, Windows does all the job, you have only to check the identity of logged
in user

OTOH if your application has custom passwords system, then you're on your
own how you
will manage passwords and authenticate users.

Maybe if you will share with us what's the application is. Is it desktop or
web app?
Give more background.
Click to expand...

Hello Vadym,

I'm the wrong person to ask this, since I'm not the originl poster.
What I wrote were just my personel thoughts bout the subject.

greetings,
Hans
 
Sheikko said:
Windows password are stored in a file (it's name is SAM), cant recall
the name, and they are encrypted, so you need
1. Read windows partition from Linux or DOS
2. Take the password file
3. Use a brute-force password recovery app, to TRY to find some of the
passwords

As you can see, theres no way to read these passwords from C# or any
other language, even If you could read the file on real time (you
cant, windows blocks it, thats the reason of step 1 mentioned before),
you would still have to try and find the password through brute force,
which is, time/resources consuming, you could spend 24 hours in a row
trying to get a password and either succeed or not, depending on the
complexity of the password (aka, lenght, different characters, and so
on..)
Click to expand...

Hello Sheikko,

I think that's not what the OP was looking for. He wrote about
_encrypted_ password comparisation. I tink he want's to type in a
password, let it encrypt by the system and then compare the result to
the stored encrypted password. Everything else would be an evil
attempt of hacking.

Hans
 
It is a desktop application.

I wanted to do the following:
When the Programm starts it gets the current (windows) username and
encrypted password.
Afterwards compare both values with the values in my DB (the condition
here is that I use the same
encryption algorithm as windows does, because the password in the db
is also stored in an encrypted form).

When it fits with the DB values my App starts. Otherwise a login
window will be shown, where the user can enter
the username and password.
 
Hans-J. Ude said:
Hello Sheikko,

I think that's not what the OP was looking for. He wrote about
_encrypted_ password comparisation. I tink he want's to type in a
password, let it encrypt by the system and then compare the result to
the stored encrypted password. Everything else would be an evil
attempt of hacking.

Hans
Click to expand...

But again why do that when you can simply use the password the person enters
(in unencrypted form) and authenticate the user to make sure it matches? I
do it all the time.
 
I wanted to do it in this way to have an option to use either the
windows authentication or my own If a user
wants to use the windows authentication he just enters once his
username and password and everytime the program starts it starts
with his user rights without showing the login form.
Otherwise the user has to enter his username and password
by hand.
 
I wanted to do it in this way to have an option to use either the
windows authentication or my own If a user
wants to use the windows authentication he just enters once his
username and password and everytime the program starts it starts
with his user rights without showing the login form.
Otherwise the user has to enter his username and password
by hand.
Click to expand...

I understand but think this is a very bad idea. This is very unsecure
because it assumes that the person starting the application is the same
person that is logged into the computer. If someone walks away (ie: goes to
lunch and forgets to lock their system or log out) anyone can walk up, start
the program and impersonate that user. Not something that would pass any
kind of a security audit.



Please reconsider this.
 
Hello, (e-mail address removed)!

That's an overkill to check hashed passwords :).

When user is logged on into the Windows you already known that this is valid
user.
Because to perform login user 'tells' his login and password to Windows.

In your application you have to do some assumptions like,
- when application starts it will check the current logged in user, if it
has such user
name in the DB then no login screen.
- when application starts and finds no such user in the DB, show login
screen.
This login screen will use the LogonUser API to perfrom user verification
against
Windows security system.

You wrote on Tue, 12 Jun 2007 04:48:03 -0700:

b> It is a desktop application.

b> I wanted to do the following:
b> When the Programm starts it gets the current (windows) username and
b> encrypted password.
b> Afterwards compare both values with the values in my DB (the
b> condition
b> here is that I use the same
b> encryption algorithm as windows does, because the password in the db
b> is also stored in an encrypted form).

b> When it fits with the DB values my App starts. Otherwise a login
b> window will be shown, where the user can enter
b> the username and password.






With best regards, Vadym Stetsyak.
Blog: http://vadmyst.blogspot.com
 
Hi NG,

is there a way to get the Windows Password of a user in an encrypted
form?
In my logon process I want to check the current (windows) user and
password. If they fits no logon screen will be displayed and the
program starts.

Has somebody an idea how to get it?
Click to expand...

The username is avaliable from .NET as Environment.Username

The password is stored in the registry. Accounts have a (meaningless?)
ID number that you have to look up in

HKLM/Security/SAM/Domains/Account/Users/Names/Username

The encrypted password for that user is at:

HKLM/Security/SAM/Domains/Account/Users/IDNumber

Note that by default only SYSTEM can access HKLM/Security but obviously
an administrator can set it so that they have access. It would be a
*very* bad idea to give non-administrators access to that (with read
access they could do an offline attack on admin passwords - with write
access they could change admin passwords and just log in), so only
administrators will be able to use your program.
On Vista and later versions of Windows, you're likely to irritate people
with dialogs asking if they're sure they want to give admin rights to
your program.

Vista also seems to store the value in a slightly different way to XP
(two keys). Perhaps they're salting the hash with the username - it
would be about time!

You should also note that if somebody gets access to your program's
data, they can trivially attack passwords on the system and get access.
So you'd better set your program's data file security attributes to only
allow admins access.

********
* NOTE *
********
While that answers your question, it's not actually what you want to do.
You could either use the LogonUser API (not avaliable on many older
versions of Windows and requires your program to have privilages to act
as part of the OS before Windows XP), or (probably better in your case)
use SSPI. These will do the authentication for you.

Full details and sample code on using SSPI are avaliable from here:
http://support.microsoft.com/kb/180548/EN-US/

Alun Harford
 
Back
Top