Seminal password tool rises from Symantec ashes

More than three years after Symantec unceremoniously pulled the plug on L0phtcrack, the seminal tool for auditing and cracking passwords is back with a set of new capabilities.

Starting Wednesday, L0phtcrack 6 is available from the same team of hackers who introduced it to the world a decade ago. The program was pulled from the market in late 2005 shortly after it was acquired by Symantec, presumably because its offensive capabilities didn't fit in with the company's portfolio of defensive products and services.

While programs like John the Ripper and Cain and Abel in many ways filled the void, L0phtcrack is credited with bringing awareness about password strength to the masses.

"It was one of the few tools that you could use to do password cracking that looked legitimate at the time," said HD Moore, founder of the Metasploit project. "It became fairly common for not only the pen testers and the assessment folks to use but also very common for system administrators to use to audit the passwords of their systems."

A lot has changed in the half decade that has passed since L0phtcrack 5 was released, and many of those changes are reflected in the latest version. It adds support for x64 processors and the latest operating system releases from Microsoft, Ubuntu and others. It also brings sharp new teeth to cracking passwords that use the NTLM hash, an algorithm for protecting Windows pass phrases that has come into vogue in the past few years.

According to Moore, we largely have L0phtcrack to thank for the phasing out of a previous Microsoft password hash known as LAN Manager. The algorithm stored hashes in seven-character, case-insensitive chunks that made cracking especially easy.

"It really changed people's views on how they should develop secure passwords," Moore explained. "L0phtcrack is probably the number-one reason why people disabled LANMan hashes and actually picked passwords longer than 14 characters in corporations."

L0phtcrack's reincarnation comes after its creators from the L0pht hacker collective repurchased the program's rights from Symantec. The anti-virus provider had acquired them when it acquired @stake in 2004. @stake took control of the rights a year or so earlier when it merged with L0pht.

With a price starting at $295, it's by no means the cheapest password tool on the market, but L0phtcrack team member Christien Rioux says the features such as scheduling and a dashboard that simplifies the process of disabling users with weak passwords makes the program stand out.

"There are a number of enterprise administrative features that make the product worth it for organizations that are doing this on a regular basis," he said. "It's been a very long time that this has been out there. The benefit is that we've had the opportunity to interact and fix [customer] issues and take [in] their concerns." ®