Tutorial: Windows password recovery made easy
When setting a password, pick the password hint carefully
Many of us have a love-hate relationship with passwords. They're great for dissuading youngsters from logging onto our machines and wreaking havoc with our files, but they're just as likely to turn around and bite us. Forget an obscure, intricately crafted password and you're in a world of pain.
It's true that all versions of Windows enable you to create password recovery discs, but what do you do if you find yourself locked out without that disc? There are several tools out there that can help you recover the forgotten password, and the best of the lot is Ophcrack.
Its key utility reads the Security Accounts Manager (SAM) files in Windows - the files that keep user account passwords in LAN Manager (LM) or NT LAN Manager (NTLM) hash format. It uses pre-computed rainbow tables to recover the passwords. Security researcher Dr Philippe Oechslin developed the tables and the tool.
Ophcrack
Ophcrack is licensed under the GPL, and is available as a free download for Windows and Linux. To retrieve your password, you'll need to boot into another OS installed on a separate disc or partition. We assume you know enough about your Bios to change your PC's boot order.
The best way to use Ophcrack is via its Live CD, which works if you don't have a dual-boot PC, or have forgotten the login password for all installations. The Live CD is based on the minimalist SliTaz Linux distribution. You can either burn the Ophcrack ISO onto a CD, or use the YUMI Multiboot USB Creator to copy the ISO onto a USB drive.
The Live CD is available in two flavours: one helps you crack Windows XP passwords, and the other targets Windows Vista installations. The two CDs package the same program, but with different rainbow tables, because Windows XP and Vista use different hashes to store passwords.
Using the Live CD
When you boot from the Ophcrack Live CD, you'll get a bootscreen with several options. Usually, 'Ophcrack graphic mode - automatic' should work. Once the Live CD boots you into the SliTaz graphical environment, it automatically launches the graphical Ophcrack tool. It will list all the user accounts it has found on your computer under the User column, and attempt to recover their passwords.
Unless your password is fairly complicated, contains lots of characters or you're on a dated machine, the tool shouldn't take long to crack your passwords. When it's done, the passwords are listed in the NT Pwd column. If the password field corresponding to your user is empty, there is no password for that user. That's all there is to it.
Now all you have to do is note down the password for your users, reboot into Windows, and log in with your username and the newly found password.
The automated password recovery procedure on the Ophcrack Live CD should suffice for most situations, but if it doesn't, you can configure the program more comprehensively.
Password cracking is a time consuming task, but you can speed up the process by asking Ophcrack to employ all the cores on your multi-core processor.
To do this, switch to the Preferences tab in Ophcrack's interface and set the number of threads to a figure one greater than the number of cores. For example, on a quad-core machine, set the number to '5'. Make sure you restart Ophcrack after changing this setting.
Another way to speed things up, especially if your Windows installation has several users, is to delete any user accounts that you don't need to recover the password for. Even if you're the only user, Windows will have a couple of extra user accounts such as Guest and Administrator.
Finally, you can increase your chances of cracking the passwords by installing additional tables. Depending on which Live CD you've downloaded, you'll either have the XP Free Small or the Vista Free table.
Get more tables
You can download additional tables from Ophcrack's website. Besides the aforementioned tables, only the 703MB XP Free Fast table is available for free. The others can be downloaded for a fee, and can be used to crack passwords that aren't based on dictionary words, include special characters, German characters or numbers, and are of various lengths.
Once downloaded, simply copy the tables inside the 'Tables' directory in the root of your USB drive. Ophcrack will pick them up automatically on startup.
Although the Ophcrack Live CD will automatically detect users on the system it's running on, it gives you the option to load the password hashes manually. This comes in handy when you're running it on a dual-boot machine or a remote machine.
The 'Load' hash button gives you several options to load the hash. The 'Single hash' option lets you specify the hash manually. With the 'PWDUMP file' option, you can import hashes created with a third-party tool such as fgdump. You can also manually point Ophcrack to the SAM file you've grabbed from a remote machine. The SAM file is in the 'system32/config' directory.
Offline NT Password and Registry Editor
Depending on how complex the password is, there's a remote possibility that Ophcrack might not be able to crack it. If you've been unable to discover your Windows password this way, you can always try resetting it with the Offline NT Password and Registry Editor, but be aware of the implications before you start.
If you asked Windows to lock your files with your password during installation, resetting it will give you access you the installation, but the locked files won't be recoverable.
With the Offline NT Password and Registry Editor, you can reset the password for any version of Windows. It's available as a 4MB live CD. When you boot from it, it will detect all the drives and partition on those drives that have valid Windows installations.
The first step is to select the partition that houses the Windows installation whose password you need to reset. Windows 7 creates a small, bootable partition as well as the regular Windows partition that contains the OS files, so make sure you point to the larger of the two.
Next, the tool asks you the location of the password registry. In most cases, the default path should work, unless you've tinkered with its location - in which case you should have a fair idea where this needs to point.
After reading the password registry, the tool prints a list of users, and gives you the option to set a new password, wipe the password, enable/disable a user, or escalate their privileges to those of an admin. Make sure you write the changes to the registry before exiting the tool.
Once you're able to log back into your Windows installation, remember to change the password to something complex that you can still recall easily.
How to create a Windows password-reset disc
All versions of Windows let you create a password-reset disc using the Forgotten Password wizard. The exact steps for doing this vary somewhat depending on the version of Windows you're running.
In Windows XP, head to Control Panel and select User Accounts. In the Pick an Account to Change area, select your username, then under Related Tasks in the sidebar, click 'Prevent a Forgotten Password'. This will launch the Forgotten Password wizard.
In Windows Vista, head to User Accounts and Family Safety in Control Panel. Here, under User Accounts, you'll find the Create a Password Reset Disc option. Follow the same route under Windows 7 to get to the Forgotten Password Wizard.
In all versions of Windows, the wizard will ask you to insert the removable drive, prompt you for the current account password, and create the password-reset disc.
You don't need to create a disc every time you change your Windows password - it'll work no matter how many times you've changed it. On the other hand, this means that your Windows installation can be compromised with ease if you ever lose the disc.
