Main Area and Open Discussion > General Software Discussion

In search of ... a universal password reset/retrieval system

(1/2) > >>

barney:
Folk,

I was over at Addictive Tips and Ghacks earlier today.  Both had entries on passwords.

Has anyone ever seen a universal password retrieval/reset system?  I remember one (1) when Win98 was extant that seemed to work pretty well, but it went the way of the dodo.  Don't think it even worked with Win98SE, but uncertain in that respect.  It certainly couldn't deal with NT.

It's not an overweening need, but strikes me it'd be awfully handy.  There are retrievers for Office and for specific Windows versions that dig out the activation key(s) and the authorization key(s), but they tend to be pretty version specific.  Surprisingly - to me, anyway - there's not a generic tool to find or reset such things in Windows.  Not just the MS products, but all products.  For instance, what if you needed to find the registration data for, say, Acronis True Image, or perhaps for an Easus product ... maybe even for some shareware product.

Yeah, the algorithms for such a beast would be tough  :tellme:.  And many  :o.  But it still surprises me that there's nothing extant in the field.  Or have I missed something?

What's your favourite retrieval system?

Ath:
Hm, any good system that stores a password, only stores a hash of it, that can't be reverted, just the calculation repeated with the correct password delivering the same hash.
So it would be nearly impossible to revert that, without a brute force attack, and even that could take from hours to more than a lifetime :o

Carol Haynes:
This password reset works very well in Windows XP/Vista/7 for user passwords.

http://pogostick.net/~pnh/ntpasswd/

It is a bootable ISO that needs to be burned to a CD (there is a bootable USB version too if you prefer).

Only caveat is that if file encryption has been used in Windows then you should not use it (the encryption uses the original password so if you reset the password none of your files can be decrypted again without reinstating the original password).

In most cases file encryption isn't used and this tool basically just reverts user accounts back to 'no password' state and does it very easily.

There are lots of tools that read license jeys - one of the best I have found is SIW. See http://www.gtopala.com/ (look for the free version which works fine for this).

barney:
@ath
Yeah, that's fine in theory ... but we both know that it doesn't happen that way in the real world very often.  I can pull easily a dozen different protected proggies off my hard drive that rely upon the most common of protections, obfuscation  ;D.  Very few protected systems use much more.

@Carol
Yep, use SIW myself when the need arises.  Never got the USB part working, though ... still too many systems that won't boot from a USB stick  :huh:.

Folk, I'm not looking for a cure-all here, just opinions on what works best for you when the time comes to correct - usually - someone else's errant memory.  Although, re-iteratively, I'm still amazed that no one has yet - to my knowledge - pulled all the various recovery systems into one cohesive whole.  After all, barring real hashing, it'd be just a matter of compiling eleventy-seven scripts into one umbrella program.  Shouldn't need genius, just patience and perseverance  :P.

And I suspect that a decent cryptographer could make pretty strong headway into a lot of the hashes, but that may be an opinion born of ignorance.  I've dealt with this in past corporate days, and seldom failed - not because I'm brilliant - I ain't  :( - but because most of my coworkers were not, either.

When I forayed into the cryptographic realm, I learned that most hashes are only as strong as what is fed them - that's why [most] dictionary attacks work - and if you know the person involved in generating the password, even a dictionary attack is not often needed - or, at least, it's a much smaller dictionary  ;).  (After the fact, that seems obvious beyond the need of mention  :-\.)  

It's just that, after reading the two (2) sites previously mentioned, I got to wondering why no one had merged/meshed all the extant methodologies into a single vessel.  Be a whole lot easier to use - but, then, that may be my previously mentioned short term memory talking  :P.

[Edited for typo]

40hz:
If you're totally gung-ho on super secure passwords, your bet bet is probably to head over to www.random.org, generate a listing of very long and truly random passwords.  And then use them in conjunction with a good password manager that allows a paste or form-fill option.  The weak point in the system will be the rememberable password needed to get into the PW manager, but them's the breaks. You could always prefix your real password with something (an asterisk, exclamation point, etc) and not include it in your PW manager's list. Do a paste, then hit home, add your excluded character and "Bob's yer Uncle." At least if someone gets into your PW app, the passwords that are there won't be complete without the excluded character(s).

Not particularly elegant. But it does work quite well in practice.  ;D

Navigation

[0] Message Index

[#] Next page