Adventures in Underland: What Passwords Do When No One Is Watching

Sign in to queue


Wherever and whenever you enter your password in the password field, there is at least one mechanism that must know it to use it later for the designed purpose. The common knowledge is that when we set up our password in Windows it is hashed and stored either in SAM or ntds.dit database in Active Directory. This is useful for verification purposes, but if your operating system can re-use the password it means others can decrypt it! In this intensive session, learn the encryption and decryption techniques being used nowadays in systems, networks, and applications. We look at the various technology weaknesses and try to take passwords from the places where they are used by the operating system to perform several operations. Become familiar with some unexpected places for your passwords and learn what you can do to mitigate the risk before somebody else grabs them! Session covers passwords’ internals. Have a cup of coffee before attending!



Session Type:





La Nouvelle Ballroom B



Download this episode

The Discussion

  • User profile image

    Sounds interesting!

  • User profile image

    I am hoping this information will be helpful for our Help Desk and PC Support techs.

  • User profile image

    My organization uses an identity management system,  I tell my users to log out of all connected systems before changing passwords.  I know why and I try to explain, perhaps this would be helpful.

  • User profile image

    Paula's sessions are always good.

  • User profile image

    When no one is watching, passwords tease each other about how complicated they are. Also make bets on which password will be forgotten first. Some hate each other because they copied the same password. Tongue Out

  • User profile image


  • User profile image

    I heard one of the examples being used here was CPAU ( If it took longer than 5 minutes to accomplish it I would be surprised. I (the author) indicate on the web site that anyone with a debugger can get the info out of an encoded (not encrypted) JOB file. Also there are at least 3-4 articles on the web that have been out there >year that talk about doing it.


  • User profile image

    Great Sesion!

  • User profile image

    joe! Cpau does one thing and does it well. It is why I used it as an example. The session was about password storing and reusing and not about cracking/hacking applications. I hope you do not take it personally! :)

  • User profile image

    lmao @ trever. yeah she's SMOKING HOTT!!!! and the fact that she knows!!!

  • User profile image

    Paula, I didn't take it personally. :) I just wanted to point out that this is well known to me and anyone who searches the internet. Unfortunately the API call being used only accepts clear text. One of the reasons I didn't bother worrying much about encrypting the JOB file (versus encoding) is that I knew how simple it was to break on the API call (or the various and sundry ways you can try to hide the call) and look at the parameters directly or even to just hook the API call and dump every use of it by anything. On the positive side, not many people have a clue on what to do in a debugger and that number seems to get smaller every year.

    I was a little disappointed that only one person raised their hand and said they used CPAU though, I received about 18 or so emails from folks sitting in the room while your presentation was going on letting me know that it was being "hacked" on the big screen. ;)

    Good presentation overall. :)

    Take care,


Add Your 2 Cents