assurance - RE: [Assurance] IAP Question on Stored AUthentication Secrets
Subject: Assurance
List archive
- From: "Capehart,Jeffrey D" <>
- To: "" <>
- Subject: RE: [Assurance] IAP Question on Stored AUthentication Secrets
- Date: Wed, 29 Apr 2015 14:56:48 +0000
- Accept-language: en-US
Microsoft has a TechNet article on Cached and Stored Credentials Technical Overview. https://technet.microsoft.com/en-us/library/hh994565.aspx The AD Cookbook guidance is to turn off LM hash. There is a Credential Manager store in windows, that is optional. I think this is much better than the old .pwl files, but still subject to memory scraping or
off-line attacks if the machine is compromised, which is a known risk managed through standard procedures per the profiles. If you want to see your credentials managed (cached) in Windows, then go to Control Panel. Open “Credential Manager”. You should see your Windows Credentials
listed, including your logon ID. For domain logons, there is a “password verifier” stored in the registry, for when the domain is not available. Security of cached domain credentials The term cached credentials does not accurately describe how Windows caches logon information for domain logons. In Windows 2000 and in later versions of Windows, the username and password are not cached. Instead, the system stores an encrypted verifier
of the password. This verifier is a salted MD4 hash that is computed two times. The double computation effectively makes the verifier a hash of the hash of the user password. This behavior is unlike the behavior of Microsoft Windows NT 4.0 and earlier versions
of Windows NT. http://support.microsoft.com/kb/913485 Verifiers vs. authenticators A verifier could possibly be used to crack a password, but even that would prove difficult. A Windows password verifier is tens of thousands of times -- if not orders of magnitude -- harder to crack than a normal Windows password hash. To begin with, password
verifiers are salted with the user's name. Salting doesn't add tremendous complexity to cracking of the verifier, but it isn't done with the other password hashes, and it complicates brute forcing, rainbow table creation, and use. It also prevents easy comparison
searches for reused passwords. The real value in protecting the verifier is its inherent computational generation effort. In early versions of Windows, the log-on cache verifier was many times more difficult to crack than a normal password hash. In Windows Vista/Windows Server 2008 (and
later), the log-on cache verifier is protected using
PBKDF2, which is considered cryptographically very secure and is significantly more resistant to brute-force attacks than earlier protection mechanisms. It essentially takes the password, the salt, and a pseudo-random function, then mathematically computes
them over thousands of rounds of identical computations. Jeff From: [mailto:]
On Behalf Of David Langenberg In our implementation, we read 4.2.3 as applying to how the institution stores the Authentication Secrets at rest. The requirement does not address how a user stores them nor any transient storage used in the process of validating/processing
them. It would be impractical and prohibitively costly to audit every single machine/device/workspace a user could work from for compliance otherwise. Dave On Tue, Apr 28, 2015 at 3:57 PM, Eric Goodman <> wrote:
-- David Langenberg Identity & Access Management Architect The University of Chicago |
- [Assurance] IAP Question on Stored AUthentication Secrets, Eric Goodman, 04/28/2015
- Re: [Assurance] IAP Question on Stored AUthentication Secrets, David Langenberg, 04/28/2015
- RE: [Assurance] IAP Question on Stored AUthentication Secrets, Capehart,Jeffrey D, 04/29/2015
- Message not available
- RE: [Assurance] IAP Question on Stored AUthentication Secrets, Eric Goodman, 04/30/2015
- Re: [Assurance] IAP Question on Stored AUthentication Secrets, David Langenberg, 04/28/2015
Archive powered by MHonArc 2.6.16.