I somehow managed to get locked out of my Windows Live account. Password recovery does not work (I chose a stupid secret question) and they are asking me to provide some information about my account but being very un-friggin helpful about it.
They seem only interested in my messenger contacts and hotmail emails despite me hardly using either. I provided loads of detailed information about Live Mesh (because that’s what I use mainly) but that’s not enough apparently.
So I was thinking perhaps if I could recover my password from another machine then I could tell them what it was – might make them reconsider. It was stored on my other machines in the live mesh login client and in windows messenger.. and probably in Google Chrome as well.
Any idea how to recover them? I’m thinking they’ll be encoded somewhere and I can use a brute force attack to crack the encoded text. I have account access to all the machines that it’d be stored on.
If you have machines that can log in, why not log in, get info on your messenger contacts and hotmail emails ,then get back in touch with MS now you have the info they want to unlock things?
How did you plan to “crack them yourself”? There are so many reasons I can think that this won’t work I can’t be bothered to type them all! It’s relatively trivial to hash a password into an encoded string, but the reverse is not true. Indeed that’s the point. Or was your plan to (somehow) replicate the password hash function and brute force some possible passwords you might have used in an attempt to get a hash collision? But then you need to know how the function… etc.
you have machines that can log in, why not log in, get info on your messenger contacts and hotmail emails ,then get back in touch with MS now you have the info they want to unlock things?
But there’s a hole in my bucket! (ie the account’s locked – if I could log in then there’d be no trouble!)
It’s relatively trivial to hash a password into an encoded string, but the reverse is not true
Well I believe it’s quite possible to use brute force to crack a password extracted from a unix password file using software and modern computing power. I assumed the algorithms would be widely known for Windows also.
I assumed the algorithms would be widely known for Windows also.
This could be a rash assumption. It may be that the password itself is not stored, but rather an authenticated logon token for the services in question. But you can look that up and find that out yourself.
Indeed if you can’t logon with this saved info, that implies the above? Otherwise how does recovering your password help you? Actually I guess MS support folks might have a non-locked interface where they can check a pw supplied by you matches the hashed password they have stored for you.
I believe it’s quite possible
You need to work on the answer to this part before anything else. I’d expect it to be very hard. (that’s not a naive assumption, cryptology isn’t my field, nor is windows security, but my doctorate is in computer science so I’m more clued up than most).
I think you’ll spend less time sorting this by persisting with the beuracracy of getting it reset over the phone than trying to reverse engineer the password.
I think you’ll spend less time sorting this by persisting with the beuracracy of getting it reset over the phone
Yeah but the issue is I cannot supply the information they are asking for.
Which would mean there is no password stored on your computer?
When you click the ‘remember my password’ button it gets stored in some kind of password vault on your PC, I seem to remember reading. Or rather, it DOES get stored on your PC – I seem to remember reading it was at one point laughably easy to recover these since they were stored in a file called passwords.txt in your profile or something silly.
True, I’m just making assumptions as well. But I do know a bit about how password hashing functions are designed, and the difficulty of trying to brute force them. So I think this is the bit you need to focus on, but it’s the part you’re being vague on.
Do you have no way of getting some idea what your msn contacts/emails are? This seems like an easier way to regain access. You’ve never set up a mail-client for access, or email forwarding, and so are able to recover this info that way? Or use MSN with a client which probably stores chat transcripts? These are less likely to be encrypted and could get the info you need. A chat client may also store an offline buddy list, which might be easier to access than a password?
Do you have no way of getting some idea what your msn contacts/emails are?
Would I be posting this crazy talk if I did?
The email they sent asked for ways to identify yourself SUCH AS hotmail folders, msn contacts, recent emails and that kind of thing.
I sent them absolutely everything I could think of which wasn’t a lot since I hardly ever use messenger now and only use hotmail for an alternative paypal account and things that might spam me.
I’ve never used it but there is a “Live Messenger password recovery tool” at the top of a google listing for just that. If you do use it, I would change it immediately afterwards, you never know what some of these free tools leak out.
The problem with microsoft is that their hashing algorithms are not only very weak but also very well known. There are so many tools that can easily and quickly reverse the hashing, mainly because of the way windows handles encryption. (i.e. badly)
Lots of systems still use very poor hashing algorithms that simply haven’t stood up to the test of time and quick brute forcing is now possible against all but the strongest. And as discussed earlier, if your own computer isn’t beefy enough, no problem, get yourself onto the internet and a nice company will apply their cpu array to it and have it back to you in no time for a nominal fee.
Drac, you need to look like this
this,
or this…
To be a good hacker. I’ve watched hacking films too.
The days of cracking Hotmail with a broken biscuit are long gone.
You might have some luck with things like Snadboy’s Revelation tool for displaying ****** passwords, though I’ve not used such things in many years now so what it’d make of Windows 7 I can only guess.
Disclaimer – I know nothing about Windows LIve, but if you’ve used Firefox to access it and clicked remember me, then the password will be saved in Saved Passwords bit of the program settings.
Doesn’t chrome have something similar?
Posted 13 years ago
Viewing 27 posts - 1 through 27 (of 27 total)
The topic ‘How does Windows 7 store passwords for things?’ is closed to new replies.