WingNews logo WingNews
top | item 46291189

(no title)

bmenrigh | 2 months ago

There are so many problems with this article and the previous one it references (How weak passwords and other failings led to catastrophic breach of Ascension).

Specifically, RC4 is a stream cipher. Yet, much of the discussion is around the weakness of NTLM, and NTLM password hashes which use MD4, a hash algorithm. The discussion around offline cracking of NTLM hashes being very fast is correct.

More importantly though, the weakness of NTLM comes from a design of the protocol, not a weakness with MD4. Yes MD4 is weak, but the flaws in NTLM don't stem specifically from MD4.

Dan Goodin's reporting is usually of high quality but he didn't understand the cryptography or the protocols here, and clearly the people he spoke to didn't help him to understand.

EDIT: let me be more clear here. MS is removing RC4 from Kerberos, which is a good thing. But the article seems to confuse various NTLM authentication weaknesses and past hacks with RC4 in Kerberos.

discuss

order

matthewdgreen|2 months ago

Obviously RC4 itself isn't the problem. The problem is that Microsoft ships a "ciphersuite" that includes a bad password-based key derivation algorithm that also happens to be tied to a whole pile of bad cryptography. And the real, real problem is that Microsoft still ships a design in which low-entropy passwords can be misconfigured for use in encrypting credentials, which is a nightmare out of the 1990s and should have been completely disallowed in 2010.

But I'm not going to get particularly picky if people identify the bad ciphersuite by the shorthand "RC4", because even Microsoft does this: https://www.microsoft.com/en-us/windows-server/blog/2025/12/...

Someone1234|2 months ago

> But I'm not going to get particularly picky if people identify the bad ciphersuite by the shorthand "RC4", because even Microsoft does this

Microsoft is actually talking about RC4 there, the article is conflating NTLM and RC4 things together.

jmsgwd|2 months ago

Are you referring to Windows Kerberos here or NTLM?

hnmullany|2 months ago

What are the bets that the NSA has been encouraging Microsoft to keep shipping this?