WinSecWiki > Security Settings > Account Policies > Password Policy > Reversible Encryption

Store passwords using reversible encryption

Not only Windows and Active Directory do not store user’s actual passwords even in encrypted form. Instead only a hash of the password is stored. However some applications and protocols require knowledge of the user’s actual clear text password. For instance, the challenge handshake (CHAP) authentication protocol in RRAS and digest authentication in IIS require the user’s clear text password. To accommodate such protocols you would have to enable this policy.

Bottom line

Do not enable this policy unless necessary since it increases the risk that passwords could be divulged without even using a cracking utility.

Back to top


Additional Resources