Ask the Expert

How secure is NT authentication?

I am an IT auditor in my company and am having problems convincing our application development team not to rely on NT authentication as a matter of convenience for users. My argument is that the NT ID/password is meant to validate a user before allowing access to resources like file and print services, not for single sign-on to business applications. NT authentication is also a favorite target for hackers. My questions are the following:

1)How is allowing access to any application -- once someone is authenticated as a valid NT user -- different from the single sign-on solution?

2)Are NT passwords really that much easier to crack than passwords on other platforms? Is there any Web site I can refer to that compares OS passwords?

3)Is it the trend these days to rely on NT authentication? (i.e. Am I too paranoid over the use of NT passwords?)

Hope to get some advice soon. Thanks.


    Requires Free Membership to View

1) NT authentication can be used to allow or disallow access to a particular application. If that application has the proper hooks, it can use that same information to control access within the application. However, in many cases the applications have no such capability. Thus, this really isn't an "either/or" situation. It really depends on how tightly an application is integrated with the underlying OS security mechanisms whether or not single sign-on is even possible.

2) Prior to SP4 (service pack 4), Windows NT routinely used a LAN manager hash along with the NT hash. The LAN manager algorithms are significantly weaker than the NT algorithms and are used for backwards compatibility with Win98, Win95, Win 3.1 and even DOS. The two hashes were derived from the two halves of the NT password. An attacker could use the information gained from breaking the weaker LAN manager password to break the stronger NT password hash. In an environment that is all NT and Win2K, it is possible to disable the LAN manager passwords. See this Microsoft article.

3) You are not too paranoid over the use of passwords in general (not just NT). Users routinely pick poor passwords. You can use NT tools to set maximum and minimum password lengths, time between changes and other settings. You can also use the NSA guidelines for securing Windows NT. Check out their online info here. That NSA page also has guides for Win2K, WinXP, Cisco Routers and more. In addition, to increase security, you should consider alternative authentication systems such as those that use tokens (smart cards and other devices), public key certificates or biometrics. There are also third-party tools to help with the single sign-on problem.


For more info on this topic, check these SearchSecurity.com resources:
  • Best Web Links: Passwords/authentication
  • Featured Topic: Password mania
  • Article: Study: Employees willing to share passwords with strangers

  • This was first published in June 2003

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: