How to Demonstrate Security Vulnerabilities in Laptop Passwords

By Kevin Beaver

Arguably the greatest threat to any business’s security is hacking of unencrypted laptops. Given all the headlines and awareness about this effectively inexcusable security vulnerability, it’s unbelievable that it’s still so prevalent in business.

Choose your tools

My favorite tool to demonstrate the risks associated with unencrypted laptops is Elcomsoft System Recovery. You simply burn this tool to a CD and use it to boot the system you want to recover (or reset) the password from.


You have the option to reset the local administrator (or other) password or have it crack all passwords. It’s really that simple, and it’s highly successful, even on the latest operating systems, such as Windows 8. The most difficult and time-consuming thing about Elcomsoft System Recovery is downloading and burning it to CD.

You can also use another proven tool for Windows called NTAccess for resetting local Windows accounts. This program isn’t pretty or fancy, but it does the job. As with ophcrack, Elcomsoft and NTAccess provide an excellent way to demonstrate that you need to encrypt your laptop hard drives.

Even seemingly benign laptops used for training or sales can have tons of sensitive information that can be used against your business. This includes spreadsheets that users have copied from the network to work on locally, VPN connections with stored login credentials, web browsers that cache browsing history, and, even worse, website passwords that users have chosen to save.

After you reset or crack the local administrator (or other) account, you can log in to Windows and have full access to the system. By simply poking around, you can find sensitive information, remote network connections, and cached web connections to demonstrate the business risk.

If you want dig even deeper, you can use additional tools from Elcomsoft, such as Elcomsoft Internet Password Breaker, Proactive System Password Recovery, and Advanced EFS Data Recovery for uncovering additional information from Windows systems. Passware offers similar commercial tools as well.

If you want to perform similar checks on a UNIX or Linux-based laptop, you should be able to boot from a Knoppix or similar “live” Linux distribution and edit the local passwd file (/etc/shadow) to reset or change it. Remove the encrypted code between the first and second colons for the “root” entry or copy the password from the entry of another user and paste it into that area.

If you’re budget-strapped and need a free option for cracking Windows passwords, you can use ophcrack as a standalone program in Windows by following these steps:

  1. Download the source file from

  2. Extract and install the program by entering the following command:

    ophcrack-win32-installer-3.4.0.exe (or whatever the current filename is)

  3. Load the program by selecting the ophcrack icon from your Start menu.


  4. Click the Load button and select the type of test you want to run.

    This way, ophcrack will authenticate to the remote server using the locally logged-in username and run pwdump code to extract the password hashes from the server’s SAM database. You can also load hashes from the local machine or from hashes extracted during a previous pwdump session.


  5. Click the Launch icon to begin the rainbow crack process.

    The process can take a little while. Three of the long, random passwords were cracked in just a couple of minutes. The only reason the fourth wasn’t cracked is because it had an exclamation point on the end and ophcrack’s smaller “10k” alphanumeric character set doesn’t test for extended characters. ophcrack has other options that test for extended characters, so even the more creative passwords can be cracked.


There’s also a bootable Linux-based version of ophcrack that allows you to boot a system and start cracking passwords without having to log in or install any software.

It is highly recommended that you use ophcrack’s LiveCD on a sample laptop computer or two to demonstrate just how simple it is to recover passwords and, subsequently, sensitive information from laptops that don’t have encrypted hard drives. It’s amazingly simple, yet people still refuse to invest money in full disk encryption software.


The best safeguard against a hacker using a password reset program against your systems is to encrypt your hard drives by using Symantec Encryption or WinMagic SecureDoc.

Power-on passwords set in the BIOS can be helpful as well, but they’re often a mere bump in the road. All a criminal has to do is reset the BIOS password or, better yet, simply remove the hard drive from your lost system and access it from another machine.

You also need to ensure that people can’t gain unauthorized physical access to your computers. When a hacker has physical access and your drives are not encrypted, all bets are off.