Default encrypted passwords = yes?
Jay Ts
jay at toltec.metran.cx
Thu Sep 27 10:19:03 GMT 2001
>
> James Nord wrote:
>
> > "If it uses unencrypted passwords over the network get rid of it and
> > replace it with an encrytped equivellent"
>
> Could you make that "a secure equivalent".
> If you passed an MS encrypted apssword over
> the net, you'd be in as bad shape as an
> unencrypted one!
>
> Microsoft, not being idiots, don't do that. They
> use challenge-response, and the fact that the
> passwords are encrypted is just a historical
> accident.
Actually, they are idiots. :-) My understanding is that although
they don't send the password over the net, they do send a hash
of the password, which can be grabbed by a sniffer and then used
for cracking the security. BTW, I think what "we" have been calling
"encrypted" passwords are actually hashes of the password, and not
technically an encrypted password.
- Jay Ts
jayts at iname.com
More information about the samba-technical
mailing list