How to recover lost Windows passwords

Windows password recovery made easy

Many of us have a love-hate relationship with passwords. They're great for dissuading youngsters from logging onto our machines and wreaking havoc with our files, but they're just as likely to turn around and bite us. Forget an obscure, intricately crafted password and you're in a world of pain.

It's true that all versions of Windows enable you to create password recovery discs, but what do you do if you find yourself locked out without that disc? There are several tools out there that can help you recover the forgotten password, and the best of the lot is Ophcrack.

Its key utility reads the Security Accounts Manager (SAM) files in Windows - the files that keep user account passwords in LAN Manager (LM) or NT LAN Manager (NTLM) hash format. It uses pre-computed rainbow tables to recover the passwords. Security researcher Dr Philippe Oechslin developed the tables and the tool.

Ophcrack

Ophcrack

Ophcrack is licensed under the GPL, and is available as a free download for Windows and Linux. To retrieve your password, you'll need to boot into another OS installed on a separate disc or partition. We assume you know enough about your Bios to change your PC's boot order.

The best way to use Ophcrack is via its Live CD, which works if you don't have a dual-boot PC, or have forgotten the login password for all installations. The Live CD is based on the minimalist SliTaz Linux distribution. You can either burn the Ophcrack ISO onto a CD, or use the YUMI Multiboot USB Creator to copy the ISO onto a USB drive.

The Live CD is available in two flavours: one helps you crack Windows XP passwords, and the other targets Windows Vista installations. The two CDs package the same program, but with different rainbow tables, because Windows XP and Vista use different hashes to store passwords.

Using the Live CD

When you boot from the Ophcrack Live CD, you'll get a bootscreen with several options. Usually, 'Ophcrack graphic mode - automatic' should work. Once the Live CD boots you into the SliTaz graphical environment, it automatically launches the graphical Ophcrack tool. It will list all the user accounts it has found on your computer under the User column, and attempt to recover their passwords.

Unless your password is fairly complicated, contains lots of characters or you're on a dated machine, the tool shouldn't take long to crack your passwords. When it's done, the passwords are listed in the NT Pwd column. If the password field corresponding to your user is empty, there is no password for that user. That's all there is to it.

Now all you have to do is note down the password for your users, reboot into Windows, and log in with your username and the newly found password.

The automated password recovery procedure on the Ophcrack Live CD should suffice for most situations, but if it doesn't, you can configure the program more comprehensively.

Password cracking is a time consuming task, but you can speed up the process by asking Ophcrack to employ all the cores on your multi-core processor.

Ophcrack

To do this, switch to the Preferences tab in Ophcrack's interface and set the number of threads to a figure one greater than the number of cores. For example, on a quad-core machine, set the number to '5'. Make sure you restart Ophcrack after changing this setting.

Another way to speed things up, especially if your Windows installation has several users, is to delete any user accounts that you don't need to recover the password for. Even if you're the only user, Windows will have a couple of extra user accounts such as Guest and Administrator.