Abstract
The majority of computer systems are still protected primarily with a user name and password, and many users employ the same password on multiple systems. Additionally, some of the most popular operating systems such as Windows XP, Windows Vista and the upcoming Windows 7, still use ad-hoc constructed hash functions such as LM, while many Linux variants use the broken hash function MD5. This paper describes an experiment where we have tested the strengthof a selection of passwords when converted to LM, NT and MD5 hashes, respectively, using commonly available tools. Our conclusion is that a large number of passwords can be cracked within a normal working day, and that all LM hash passwords can be recovered before morning coffee. The use of such weak hash functions in the process of user authentication in these operating systems poses a significant threat to an organization's security.