Are Active Directory passwords encrypted?

Discussion in 'Active Directory' started by EddieF, Dec 17, 2008.

  1. EddieF

    EddieF Guest

    We're trying to make sure passwords are encrypted on all of our systems.
    Just want to verify that passwords are automatically encrypted in Active
    Directory and on the domain controllers. Also, are the local account
    passwords encrypted on file servers? If not are there any suggestions on how
    to do this? Thanks in advance for any help and suggestions.
    EddieF, Dec 17, 2008
    1. Advertisements

  2. EddieF

    Irv Guest

    Windows doesn't really store passwords - it uses hashes. In Windows there
    are two hashes -:

    LM Hash - Uses DES to encrypt a string using your password as the key
    NT Hash - Uses MD4 to hash your password.

    At least that's what I learnt at Teched!


    Irv, Dec 17, 2008
    1. Advertisements

  3. EddieF

    Greg Stigers Guest

    Be aware that LH hashes can be stored, exposing shorter / weaker passwords
    to cracking. But you can prevent this. See "How to prevent Windows from
    storing a LAN manager hash of your password in Active Directory and local
    SAM databases" at <>.
    Greg Stigers, MCSE
    remember to vote for the answers you like
    Greg Stigers, Dec 17, 2008
  4. Eddie,
    They are stored as hashes - no chance you get to see the real passwords
    in the database. Passwords aren't transmitted over the wire - always the
    hashes. What happens when you connect to a file is you basically acquire
    a service ticket at the DC by encrypting a message from the DC with your
    hashed password. The DC verifies the encrypted answer and - if the
    password is correct - hands out a ticket for the file server service. Go
    then connect to the file server and show that ticket. Have a look at the
    well-known kerberos authentication protocol - that's what it is.


    Florian Frommherz [MVP], Dec 17, 2008
  5. EddieF

    Jorge Silva Guest

    Check the GPO Setting "Store passwords using reversible encryption".
    This security setting determines whether the operating system stores
    passwords using reversible encryption. This policy provides support for
    applications that use protocols that require knowledge of the user's
    password for authentication purposes. Storing passwords using reversible
    encryption is essentially the same as storing plaintext versions of the
    passwords. For this reason, this policy should never be enabled unless
    application requirements outweigh the need to protect password information.
    This policy is required when using Challenge-Handshake Authentication
    Protocol (CHAP) authentication through remote access or Internet
    Authentication Services (IAS). It is also required when using Digest
    Authentication in Internet Information Services (IIS).

    Additionally consider the use of IPsec in "less secure" network areas, eg.
    DMZ, etc...
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services

    Please no e-mails, any questions should be posted in the NewsGroup
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Jorge Silva, Dec 17, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.