Can username and password of something be extracted from computer?

[Lonkut]

I have heard that ppl can extract password and username of pretty much anything just by accessing the comp where pass and username were inserted. How is that possible without a virus or any other program? I've heard that ppl go to regedit and look it up in the appropriate folder? How is that possible?

[Genocidicbunny]

That depends a lot on the program. I have pulled the passwords off my login on XP before, so I know thats possible for sure. With a lot of patience and skill, if the person has access to your computer, they can pull any password from it.

[STATS]

Sometimes people use a keylogger program to get usr names and pwds

[GVBN]

Passwords are most likely encrypted

[Genocidicbunny]

Quote:

Originally Posted by GVBN

Passwords are most likely encrypted

Encryption can be broken.

[Pentium]

It's possible to do pretty much anything you want with a computer if you have physical access to it.

[kcwong]

It depends on kind of password it is. Stupid password systems store passwords in plain, at the same location as the things those passwords are supposed to protected. Smarter ones store the password encrypted (i.e. can be decrypted, a reversible process) in a more secure location, away from the data they're protecting. A password system implemented with modern security-related common sense would NEVER store the password; instead the hash/digest (a non-reversible process) of the password is stored in a secure location, and when checking passwords, the password is hashed on the client machine and sent over network in a secure channel.

Some systems do not have such a choice, e.g. Windows can encrypt your files with a password. All data would have to be stored locally. I haven't read the specifics of the implementation (and I doubt that knowledge to open to public), but I guess Windows generate an encryption key using a password the user chose. The password and key will never be stored except in memory, when encrypting/decrypting files.

Though if I have physical access to a Windows machine, I can just overwrite the user account's password by using a special boot disc. Or I make my way in by cheating the user to run my programs. Then I can do things from the inside.

Once I have access, I can either wait for the user to input password (and capture it), or spirit the files away so I can crack it with brute force (try all possible combinations of password). I've read on news that PS3 is proved to be a cheap and efficient hardware for that purpose, even better than PCs.

Vista's User Access Control (UAC) could help a lot... provided that the user does not just blindly click "Yes" on every security dialog that pop up.

[warpus]

Physical access to the computer would allow you to lift most passwords from it.

My work hired a company to do an analysis of how good our security was. Well, they STOLE one of our computers and used the passwords off it to hack into our servers. It was very embarrassing.

[Souron]

I've heard hard disk passwords are supposed to be secure. Unfortunately, these are still vulnerable to brute force attacks.

[kcwong]

Quote:

Originally Posted by Souron

I've heard hard disk passwords are supposed to be secure. Unfortunately, these are still vulnerable to brute force attacks.

Yes, provided you have sufficient computing power, how much exactly depending on the strength of the encryption, you can brute force anything.

That's why we use session keys - a randomly generated key used to encrypt data. The session key is generated (and thus different) for each encryption. Session keys are typically symmetric keys - which means you use the same key to encrypt and decrypt. Encryption using symmetric algorithms are typically faster - thus encryption large amount of data won't be too much of a problem.

Then the session key is encrypted with asymmetric key - the public/private key pairs you usually hear about. The private key is held by the receiver, and is never revealed. The public key of the receiver is given to anyone who needs to send confidential data to the receiver. The public key will be used to encrypt the session key in the previous paragraph, and then the encrypted data plus the encrypted session key will be delivered to the receiver. The receiver then decrypt the encrypted session key with his private key, and then use the decrypted session key to decrypt the data. Asymmetric algorithms are typically much slower than symmetric ones - but this is less of a problem as it is only used to encrypt a relatively short session key.

Since the session key changes on each encryption, hackers will be spending a lot of effort to crack the encryption to gain just a single piece of data. On top of that, the public/private key pairs are periodically updated (with old data re-encrypted), giving less hints to hackers (with more and more data encrypted using the same key, cracking becomes easier) and making it even more futile to brute force.

And some systems will limit how many times you can present a wrong password... after that the data will be blocked or even self-destruct.

Though, of course, there are other ways to attack.