[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ms-cryptoapi
Subject:    Security Risk in Win 95 Logon (Weak Password Hash Algorithm)
From:       "J. Andres Hall" <jah () ALUMNI ! PRINCETON ! EDU>
Date:       1998-02-16 21:54:15
[Download RAW message or body]


Mr. Ken Miller (KenMiller@32x.com) writes in his article "Add Real
Password Protection" (VBPJ, Feb 98, p. 113) and says that:

QUOTE

The LAN Manager protocol that allows (Win 95) clients to log on is not
secure, it doesn't use the robust MD4 hash found in NT clients.  Instead,
you have to make do with the LanManager password hash, which is
something of a hash-been (sic).

This old hash lets the bad guys easily recover other user passwords
from the logon sequence that passes accross the network.  Anyone can
collect and crack such passwords, using readily available, free software.

END QUOTE

Does anybody know if this has been fixed?
Does the logon process use CryptoAPI?

----------------------------------------------------------------
Users Guide http://www.microsoft.com/sitebuilder/resource/mailfaq.asp
contains important info including how to unsubscribe.  Save time, search
the archives at http://microsoft.ease.lsoft.com/archives/index.html

[prev in list] [next in list] [prev in thread] [next in thread]