question regarding windows password scheme
- Hi guys,
Im interested in learning security stuff, Im just wondering, how windows saves our password in the system?
in some other websites, it says that windows doesnt use salt to the password scheme? and I cant find the answer as well. hope you guys can tell me this stuff.
I know that windows uses the NThash for the password. but then the idea of salt is also good to enhance the security. why why why windows doesnt use it???
Thanks guys
Answers
Hi,
Thank you for your post.
As far as I know, Windows generates and stores user account passwords by using two different password representations, generally known as "hashes." When you set or change the password for a user account to a password that contains fewer than 15 characters, Windows generates both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash) of the password. These hashes are stored in the local Security Accounts Manager (SAM) database (C:\Windows\System32\config\SAM file) or in Active Directory (C:\Windows\NTDS\ntds.dit file on DCs).
You can force Windows to use NT Hash password. For detailed information, please refer to the following article.
How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases
http://support.microsoft.com/kb/299656
After you configure Password History, Active Directory service will check the password hash stored in AD database to determine if user meet the requirement. Administrator doesn’t need to view or use password hash.
Regarding the security of password, the following article may be helpful.
Should you worry about password cracking?
http://blogs.technet.com/jesper_johansson/archive/2005/10/13/410470.aspx
Regards,
Nick Gu - MSFT- Marked As Answer byNick Gu - MSFTMSFT, ModeratorFriday, May 22, 2009 3:40 AM
All Replies
Hi,
Thank you for your post.
As far as I know, Windows generates and stores user account passwords by using two different password representations, generally known as "hashes." When you set or change the password for a user account to a password that contains fewer than 15 characters, Windows generates both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash) of the password. These hashes are stored in the local Security Accounts Manager (SAM) database (C:\Windows\System32\config\SAM file) or in Active Directory (C:\Windows\NTDS\ntds.dit file on DCs).
You can force Windows to use NT Hash password. For detailed information, please refer to the following article.
How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases
http://support.microsoft.com/kb/299656
After you configure Password History, Active Directory service will check the password hash stored in AD database to determine if user meet the requirement. Administrator doesn’t need to view or use password hash.
Regarding the security of password, the following article may be helpful.
Should you worry about password cracking?
http://blogs.technet.com/jesper_johansson/archive/2005/10/13/410470.aspx
Regards,
Nick Gu - MSFT- Marked As Answer byNick Gu - MSFTMSFT, ModeratorFriday, May 22, 2009 3:40 AM
- cvcx vcx vf
