Disclaimer: Do not try this on unauthorized systems.
If you lose a Windows password, or you buy a system that has an OS on it, but you don't know the password, what are you to do? The best thing to do would be to throw in a Linux CD, format the drive, and install the Distro. But, what if you want to boot to the system and see what's on there, and get data off?
Well, we have quite a few options. I'm going to cover two of them. I'll start with ophcrack. http://ophcrack.sourceforge.net/
"Ophcrack is a Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a GTK+
Graphical User Interface and runs on Windows, Mac OS X (Intel CPU) as well as on Linux."
We're going to use ophcrack live cd, which is a stripped down version of slax using fluxbox, with ophcrack running on top. The cd can be downloaded here. Ophcrack LiveCD
Once you burn the ISO, you just boot the cd, and it goes right to work. In my case, because I'm running on a 64 bit system, I had to pass the noapic option on bootup.
I setup a couple different accounts to test the ability of the software. With the first account, I used a simple password "coldplay". With the second account I used a simple, but randomly generated password "wzgqptjb". For the third account, I generated a 12 character random password with symbols and special characters, "c?4"e9n^bA!t". The last account had the same criteria, "\O0//|?3>q)h".
The results were somewhat predictable, except for the last two accounts. Within 2 minutes, the first two passwords were revealed in the window. I figured the other two may take a while, so I went and played guitar hero for a while, coming back occasionally to check on them. After about 30 minutes, it had completed it's cycle, but told me that the last two passwords weren't found.
For plain character passwords, it doesn't seem to matter whether it's randomly generated, or just a word. They were discovered simultaneously. But as far as the second two go, I guess 12 random special characters is enough to stump ophcrack. I figured it would just brute force it, if nothing else. But that wasn't the case.
So with that program, I was halfway successful. I might have gotten lucky and gained administrative priviledges with those 2 accounts, but with passwords like that, they're most likely regular user accounts.
On to the next program. This is my favorite one, because it's around 3MB for the entire image, and instead of going through a crack process, it completely blanks the windows password in very little time. It's called "Offline NT Password & Registry Editor", and can be downloaded from this website.
Just download the image, unzip it, and burn to cd. Cd's are cheap, so don't complain about wasting a cd for 3MB of space.
Once you boot to it, it will try and autodetect everything. Unless you install Windows in funky directories, all defaults will do the trick. The menu is very straightforward and easy to use.
I selected the admin account (the more difficult password) which is the default. Then I used the command * to blank the password. Then I typed in the name of the other account, and blanked it as well. This took around 3 minutes total including boot time. Then I exited, making sure to save my changes. Once I rebooted into windows, I logged into my accounts with NO password. Everything worked perfectly and I had admin privilges.
With this program, it's really irrelevant how long your password is. It just blanks it with a quick registry edit. Why wait for password cracking software when you have this? Consider your system owned if someone has physical access to it. It's a great precaution to use secure passwords on your systems, but, security is relative and there's always a way around things. You could of course enable a bios password to bump the security up a notch.
Be smart, and never think that your system is impenetrable, especially if you use Microsoft's products.
If you're interested in recovering passwords in linux, here's a great article on ubuntology....
One last thing.....
I wanna give a big HELL YEAH to Wayne, over at fsckin w/ linux. His site is great, and it's only getting better as time goes on!