WinSecWiki > Security Settings > Account Policies > Password Policy > Reversible Encryption

Store passwords using reversible encryption

Not only Windows and Active Directory do not store user’s actual passwords even in encrypted form. Instead only a hash of the password is stored. However some applications and protocols require knowledge of the user’s actual clear text password. For instance, the challenge handshake (CHAP) authentication protocol in RRAS and digest authentication in IIS require the user’s clear text password. To accommodate such protocols you would have to enable this policy.

Bottom line

Do not enable this policy unless necessary since it increases the risk that passwords could be divulged without even using a cracking utility.

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

Password Policy

•	Maximum Age
•	Password Settings Object
•	Minimum Age
•	Minimum Length
•	Complexity Requirements
•	Reversible Encryption

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.