Re: [squid-users] ntlm_auth passwords

From: Henrik Nordstrom <henrik@dont-contact.us>
Date: Mon, 24 Apr 2006 17:19:46 +0200

mån 2006-04-24 klockan 16:37 +0200 skrev Paolo Biancolli:

> I would just like to confirm that ntlm_auth passwords are not sent in
> plaintext but rather hashed or encrypted. I am running squid 2.5 stable
> 13 with samba 3.

NTLM send one-time hashes only. The data send on the network can not be
reused for authentication.

But there is no encryption so the data can in theory be used as input to
password crackers guessing the password by brute-force. And also the
domain, login and computer name is available in plain text in the
exchange. So even with NTLM it is important to use good quality
passwords.

Regards
Henrik

Received on Mon Apr 24 2006 - 09:20:00 MDT

This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:02 MDT