In this paper, we present practical password recovery attacks against two challenge and response authentication protocols using MD4. For attacks on protocols, the number of queries is one of the most important factors because the opportunity where an attacker can ask queries is very limited in real protocols. When responses are computed as MD4(Password||Challenge), which is called prefix approach, previous work needs to ask 2³⁷ queries to recover a password. Asking 2³⁷ queries in real protocols is almost impossible. In our attack, to recover up to 8-octet passwords, we only need 1 time the amount of eavesdropping, 17 queries, and 2³⁴ MD4 off-line computations. To recover up to 12-octet passwords, we only need 2¹⁰ times the amount of eavesdropping, 2¹⁰ queries, and 2⁴¹ off-line MD4 computations. When responses are computed as MD4(Password||Challenge||Password), which is called hybrid approach, previous work needs to ask 2⁶³ queries, while in our attack, up to 8-octet passwords are practically recovered by 2⁸ times the amount of eavesdropping, 2⁸ queries, and 2³⁹ off-line MD4 computations. Our idea is guessing a part of passwords so that we can simulate values of intermediate chaining variables from observed hash values. This enables us to use a short local collision that occurs with a very high probability, and thus the number of queries becomes practical.