?
Solved

Windows Vista - Hack of user account password

Posted on 2009-07-14
10
Medium Priority
?
1,279 Views
Last Modified: 2013-12-04
My cliient's Dell XPS 1530 laptop running Windows Vista 64-bit Service Pack 2 with Norton 360 version 3 had its only user account password hacked, i.e., someone changed the password to something different from the original password so my client could not log on.  The computer was hard wired to the Internet via a very old D-Link router attached to a Comcast cable modem.  I am interested in learining about the ways the user account password could have been changed without my client's knowledge.  For example, if someone had access to the computer, they could have made the change unbeknownst to my cient.  What are some other ways?  Thanks in advance for your thoughts.
0
Comment
Question by:bbaumberger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 1

Assisted Solution

by:rickrythe
rickrythe earned 400 total points
ID: 24855758
Possibly the computer being left unlocked and logged into the desktop or their are various windows password recovery iso's that can be downloaded and burned to a disk. Weak password could have been an issue too. How secure is the location of the computer?
0
 
LVL 1

Assisted Solution

by:rickrythe
rickrythe earned 400 total points
ID: 24855778
Also their could be a possibility that the laptop wasn't connected to a secure wireless connection and someone was using a program like cain & abel to sniff the network and could have gained access that way too.
0
 

Author Comment

by:bbaumberger
ID: 24855806
The computer is located in a residential environment with access limited to my client and his wife.  He has had a practice of using the SAME password for EVERYTHING.  Naturally, he is now listening to my counsel about creating unique, strong passwords for every electrronic relationship.  Fortunately, he is not an e-commerce afficiando.  I am wondering if a malicious script tied to an email attachment could have changed the user account password.  Interestlingly, my client is in the public eye, and the new user account password hint reflected that the perpetrator knows his famous vocation, so it was not a random attack.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 12

Accepted Solution

by:
Gideon7 earned 320 total points
ID: 24856395
I suggest developing a system of passwords that your client can recreate from memory.  For example take the last 2 letters of the web site and append it to a secret prefix -- for Amazon use "Secreton", for bankofamerica.com use "Secretca", for EBay use "Secretay", etc.   For added obfuscation you can do a letter shift ("Secretpo", "Secretdb", "Secretbz"), or some other simple transposition.
0
 

Assisted Solution

by:ReaktiuM
ReaktiuM earned 320 total points
ID: 24859425
As the above people have said, maybe the user has gotten directly into your computer and changed the password via the Control Panel. Another way is that the user may have used OphCrack, which is an application to crack the passwords of a Windows computer, to access the password, then change it from there.

Other ways also include the use of keyloggers to gain the password, then change it.
0
 
LVL 1

Assisted Solution

by:jb2286
jb2286 earned 320 total points
ID: 24891694
I've used a program called Spotmau Powersuite 2009 - this program has the capability to change user passwords from booting into it's Linux-based boot mode and also using the Spotmau Windows-based tool to change passwords.  According to Spotmau, there is a portion of the registry that stores user passwords and is encrypted.  It's difficult to change passwords supposedly, but wiping them and then re-establishing a password is the method Spotmau uses.

Is your client setup on a domain?  If so, you could change the user permissions to never allow a password change for that user, so unless the blackhat gets a hold of your server and domain admin. credentials, you should be better off.
0
 
LVL 17

Assisted Solution

by:OriNetworks
OriNetworks earned 320 total points
ID: 24892278
I really dont see any gain for someone wanting to maliciously change the password. Is it at all possible that the client did change the password and simply forgot?

Here are some methods for changing the password

If the person had physical access to the computer:
-Boot from a password reset cd (Offline NT Password and Registry Editor)
-If the computer was left unattended and unlocked, simply changing the password there
-The user changing the password with CAPS LOCK on so when they enter the password next time it seems like a different password
-A family member changes the password without informing the owner

Any other circumstance
-Brute force password guessing
-Dictionary attacks to guess the password
-Sniffing passwords sent over the internet/network (if same password is commonly used)
-Malware/spyware/virus/worm changing the current users password
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 320 total points
ID: 24944365
Someone could have had remote access to a command shell, via some exploit, and changed it that way as well. Are you sure the password was changed? Possible that the SAM got corrupted, and doesnt recognize the current password?
0
 

Author Closing Comment

by:bbaumberger
ID: 31603560
Thanks to all for thoughtful, incisive suggestions.  
0
 

Author Comment

by:bbaumberger
ID: 24946172
Each person contrubing to thus question provided useful infomation that underscores the importance of using strong passwords that are changed periodically.  Thanks to all contributors.
0

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question