On Wed, 2004-02-25 at 21:33, Tom Rixom wrote: > How do you explain that Microsoft Clients almost all use MSCHAP in some form > to authenticate and that all Microsoft passwords are stored in encrypted form... ;) > > Did you read the MSCHAPV2 specs before writing the e-mail? > > I can't recall the exact specs of MSCHAPV2 but the I remember it to be > something like:
The old way ( NT-type auth ) is that the client generates the hash from the password the user enters and sends that to the server. The server has the hash and clear-text( i think), and compares the hash of the client with the hash in the server. This way only the hash is sent over the network. Oh and although the hash isnt reversable it can be brute-forced. A PIII-400 will take 1700 hours of dedicated time to break a NT Hashed password of any length and configuration. Lookup l0phtcrack. Dictionary words are a lot easier of course. John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
