By Angela Gunn
March 17, 2009
A Windows password-auditing tool acquired by Symantec only to be shelved
when the lawyers got a look at the thing has been re-acquired by its
original authors, who have released a long-awaited Version 6 to the
public. L0phtCrack languished for years after the company decided that
the tool, popular with hackers, could raise liability issues.
Once upon a time, Mudge, Dildog, and Weld Pond released L0phtCrack,
which can be used as a password-auditing tool or, if you're playing
offense, a tool for cracking passwords on systems not belonging to you.
In 2000, the Boston-based L0pht Heavy Industries hacker collective (est.
1992, and famous for telling Congress they could take the Internet down
in 30 minutes) morphed into @stake, becoming a marginally more
mainstream security consultancy. In 2004, Symantec acquired @stake.
To the dismay of the research staff, the far more buttoned-down (and
lawyered-up) Symantec took one look at L0phtCrack and declared that
selling it would run afoul of US cryptographic export regulations. A
fifth version was released as LC5, but since 2006 Symantec has neither
sold nor supported the product. Rights to the software recently reverted
to the original L0pht crew, and here we are today.
Sure, it's a hacker tool, but so's a keyboard. L0phtCrack tests
passwords with multiple techniques -- hybrid attacks, dictionary
attacks, rainbow tables, and the ever-popular brute-force approach. That
flexibility has obvious uses for the bad guys, but white hats can also
effectively deploy the software to check password strength, retrieve
lost admin passwords, smooth migrations, and so forth.
Best Selling Security Books and More!