Re: Getting the Windows Password in an ecrypted form

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

<buerklma@xxxxxxxx> wrote in message
news:1181652563.972840.306190@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I wanted to do it in this way to have an option to use either the
windows authentication or my own If a user
wants to use the windows authentication he just enters once his
username and password and everytime the program starts it starts
with his user rights without showing the login form.
Otherwise the user has to enter his username and password
by hand.

On 12 Jun., 14:19, "Ray Cassick" <rcass...@xxxxxxxxxxxxxxxx> wrote:
"Hans-J. Ude" <n...@xxxxxxxxxxxx> wrote in message

news:b0ts63t106ctlp0eddsg8ujlibmonuk5bm@xxxxxxxxxx



Sheikko <shei...@xxxxxxxxx> schrieb:

On Jun 12, 8:34 am, buerk...@xxxxxxxx wrote:
Hi NG,

is there a way to get the Windows Password of a user in an encrypted
form?
In my logon process I want to check the current (windows) user and
password. If they fits no logon screen will be displayed and the
program starts.

Has somebody an idea how to get it?

Thanks in advance

Regards
Martin

Windows password are stored in a file (it's name is SAM), cant recall
the name, and they are encrypted, so you need
1. Read windows partition from Linux or DOS
2. Take the password file
3. Use a brute-force password recovery app, to TRY to find some of the
passwords

As you can see, theres no way to read these passwords from C# or any
other language, even If you could read the file on real time (you
cant, windows blocks it, thats the reason of step 1 mentioned before),
you would still have to try and find the password through brute force,
which is, time/resources consuming, you could spend 24 hours in a row
trying to get a password and either succeed or not, depending on the
complexity of the password (aka, lenght, different characters, and so
on..)

Hello Sheikko,

I think that's not what the OP was looking for. He wrote about
_encrypted_ password comparisation. I tink he want's to type in a
password, let it encrypt by the system and then compare the result to
the stored encrypted password. Everything else would be an evil
attempt of hacking.

Hans

But again why do that when you can simply use the password the person
enters
(in unencrypted form) and authenticate the user to make sure it matches?
I
do it all the time.


I understand but think this is a very bad idea. This is very unsecure
because it assumes that the person starting the application is the same
person that is logged into the computer. If someone walks away (ie: goes to
lunch and forgets to lock their system or log out) anyone can walk up, start
the program and impersonate that user. Not something that would pass any
kind of a security audit.



Please reconsider this.


.

Relevant Pages