0

If i set the same password in both linux and Windows, is it easier for a hacker to break the windows password? If so why and how can i create a windows password in the same security level as Linux?

user3009752
  • 135
  • 3
  • 2
    This question was already asked [here](http://superuser.com/questions/812507/are-windows-user-password-easier-to-crack-than-linux/812516#812516) and also has already an answer. – Uwe Plonus Sep 17 '14 at 09:52
  • [Windows passwords can be cached](http://security.stackexchange.com/a/63909/8340) which can make them trivial to retrieve as a post exploitation exercise, even if they are strong passwords. Windows Credential Editor achieves this. – SilverlightFox Sep 17 '14 at 10:55

3 Answers3

1

So, Windows and linux validate password based authentication attempts by hashing the submitted password, and comparing that resultant hash to the one stored (its a bit more complex, but that's the idea. lets not worry about salts at this stage).

In the case of Windows this is an LM hash, or an NT hash.

In the case of linux, it is very much operating system, and even operator dependent.

How quickly you can make guesses by comparing passwords depends on the computation expense of hashing a given password - this is defined by the hashing algorithm (DES / SHA / LM / Blowfish / MD5 etc), and how it is used - the number of rounds can be defined in some cases (more rounds, more computational expense), or salts can be used (inhibits pre-computing the total number space).

LM is generally considered bad, rainbow tables exist that cover the entire number space. However a really strong (lets say 20 random chars from uppercase, lowercase, numeric and special) NT password remains very expensive to break.

Linux depends on the algorithm used.

for example:

My graphics card can make about 6046.1 kH/s guesses against LM passwords however it can make about 2262 H/s against sha256 with 5000 rounds. note the K hashes there.

check this to try it out, and get a feel for what you are asking. (performance seciton)

http://hashcat.net/hashcat/

meph
  • 26
  • 1
  • Blowfish and DES are both ciphers, not hash algorithms. (in the case of blowfish, are you perhaps thinking of bcrypt, which uses parts of the blowfish cipher to construct the hash algorithm?) – user371366 Oct 30 '18 at 03:26
0

Impossible to say without a mountain of detailed information about the specific machines, and more to the point, it's not a useful question.

If the data on these machines is important to you, you want to create the strongest password you possibly can.

Graham Hill
  • 15,394
  • 37
  • 62
  • If we are comparing a Windows-7 os with a ubuntu os and we use the same stongest password, is it the same difficult for a hacker to break either of the passwords? – user3009752 Sep 17 '14 at 09:45
0

I think it ultimately depends on how easy it is to access the stored password hashes.

Bruteforcing a windows login screen isn't going to get you anywhere, but getting your hands on the hash and any salts involved will allow for advanced bruteforce attacks.

The quality of the password and speed of the hash are ultimately what defends you from these bruteforce attacks.

The quality of the password is all on you, not linux or windows. And a high enough quality password can protect you even if windows/linux use fast hashes without stretching them.

So when it comes to breaking the actual password itself, you could blame windows/linux for hanging onto your hashes and not stretching them (if they aren't), but ultimately since you are given every opportunity to protect yourself, you could just as easily turn that finger around and say "Myself, <insert name>, use passwords that are defeated by advanced dictionary attacks. Maybe I should change my strategy."

Andrew Hoffman
  • 1,987
  • 14
  • 17