Encyption of passwords

Posted on 2012-09-17
Last Modified: 2012-10-23
If someone asks

Do you ensure that authentication data such as passwords are not stored in a form that allows the authentication data to be recovered in readable or decipherable form.

Do Windows servers stored these passwords in a way that can be easily cracked, what is the best way to defend against it?
Question by:Nick_D
    LVL 74

    Expert Comment

    by:käµfm³d 👽
    Are you storing passwords in clear-text, or some easily reversible "encryption" method (e.g. base-64 encoding--not really encryption, btw)? If yes, then this would be a no to that question.

    Author Comment

    We don't store any password in clear text.  If you had to give an example of a strong method for storing and encrypting passwords electronically, what would it be?
    LVL 12

    Expert Comment

    There are two types of encryption. Reversible and non-reversible.

    With reversible encryption, provided with the relevant details it's possble to use an algorithm to decrypt the password to a readable value.

    With non-reversible encryption this isn't possible. The password will have been originally encrypted using a one-way algorithm that is impossible to reverse (md5, sha1 etc). The only way to find the value of a password encrypted this way is to run words through the same algorithm, cross referencing the result with the encrypted password until you find one that matches.

    In order to make passwords more secure a salt is often used when encrypting the password. A salt is essentially a string, unknown to all but the software. This often works by encrypting the password then adding the salt to the resulting hash and then encrypting the combination. This way it's much harder to launch a successful brute force attack on the password hash as even after successfully attacking the initial hash they would be left with a second hash (and salt) which they would also need to brute force.
    LVL 23

    Expert Comment

    The biggest risks to password security are from .....
    > Keystroke loggers
    > Humans writing down passwords
    > Humans using simple passwords
    > Shoulder Surfers

    If you are really concerned about data security when the server is off, just encrypt everything with a free program like truecrypt ( or a easier to use one such as bestcrypt (
    LVL 52

    Expert Comment

    To make this question answerable, you should add
    -what passwords you are talking about: local user passwords/domain user passwords/passwords stored inside the browser (what browser)/passwords stored inside other applications/cached passwords/...
    -who you are protecting against: local admins working directly at your server (physical access)/weak rdp-users (no physical access)
    -what OS' are involved
    LVL 33

    Expert Comment

    by:Dave Howe
    Windows stores passwords as either a hash or a pair of hashes, depending on if AD is active and the security level set. Pair of hashes is the default.

    The lowest security of the two (LANMAN) limits to 14 character passwords and is there for backwards compatibility purposes.

    have a look here:
    LVL 2

    Accepted Solution

    Do you ensure that authentication data such as passwords are not stored in a form that allows the authentication data to be recovered in readable or decipherable form.

    Password hashing - means the password is unreversible mathematically.

    The only way to crack a hash:

    1. Find the hash, This would be difficult to do as you need system/administrative privileges In the windows world.
    You could use an exploit such as sql injection if on the webside or some type of session-riding if you can hack or mitm kerberos (good luck) to obtain the hash.

    2. Determine the type of hash - easy this is determining the type of hashing algorithm being used to "Hash the password"

    3. Since password un-hashing is impossible - mathematically, the only other way to find out what a password is when you have it is to. guess a password -> use the hashing algorithm to hash the password and see if it matches the hash you obtained from the windows machine.

    Do Windows servers stored these passwords in a way that can be easily cracked, what is the best way to defend against it?

    1.  Yes I think so, they are stored in an easily cracked format.

    check this out:

    2. The easiest way to protect against this form of attack is to use complex passwords that are at least 9 characters long and use one of the un-commonly used Ascii Symbols that are found on this website:

    according to:

    it would take the multiforcer from the first link i showed that was fully working:

    1 Millenia exactly to crack a password that was 9 characters and used the full 255 character ascii table.

    For 8 characters using the same ascii table it would take: 4 years but of course I am paranoid and like to see a millenia.

    The other way to defend against it is to set your policy at least on your administrative usernames to change every 60 days.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This video discusses moving either the default database or any database to a new volume.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now