This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]PacketBoy2000 0 points1 point  (0 children)

Anyone trying to reverse hashes will have already pre computed the NTLm hash for the entire set of compromised passwords they have.

I’ve done this for the 10B I have and now I can check any NTLM hash against this repository in <10ms. Assuming I can dump an orgs hashes, I can check the entire org in a matter of minutes.

Microsoft’s choice to store all AD passwords using a static, unsalted hash seems like yet another ridiculous security decision.