Solved

2008 AD Password hashing algorithm

Posted on 2016-08-05
3
132 Views
Last Modified: 2016-08-09
Hi

We have been asked by an external source the following question:

Do you hash your passwords? What is the hashing algorithm used for the protection of passwords (Ex: Scrypt)? Are the passwords salted or hashed?

The only person who would possibly know this is on holiday! Is there a quick way to find this out within our Active Directory?

Thanks

Rich
0
Comment
Question by:Fletch_r21
3 Comments
 
LVL 20

Expert Comment

by:Daniel Van Der Werken
ID: 41744341
Are you managing user credentials yourselves or are you using Microsoft Windows for password and user management via the active directory?

If you are using active directory, then I suggest you read this article and reference it for your answers.

Otherwise, the only way to answer this question is to know how your application(s) are managing user credentials, which would be in your source code, most likely.
1
 
LVL 2

Author Comment

by:Fletch_r21
ID: 41744388
Hi Daniel

Thanks for your response. We are managing our passwords via Active Directory so I will read that article you have linked.

Thanks

Rich
0
 
LVL 39

Accepted Solution

by:
Adam Brown earned 500 total points
ID: 41744394
Active Directory uses Kerberos for authentication. Kerberos uses RC4 hashing for passwords, but this method only applies to authentication between domain members. Authentication against active directory using a non-domain system utilizes NTLM. Currently NTLM hashing utilizes MD4 or MD5, depending on which NTLM version is in use. Microsoft's solutions do not Salt hashes. This cannot be changed.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Enterprise Password Manager Suites as well as Local Password managers are covered in this article.
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question