Long-Lived Hashes for AD Smartcard Required Accounts

Abstract: It is well-known that passwords and their hashes can often be copied and reused by malicious cyber actors. Requiring smartcards or other hard tokens enables stronger authentication because they cannot be copied. Such a token can used by an adversary while the legitimate user is using it if an adversary has compromised the user's device, but not at other times or directly from other devices. When smartcards, are required to login to Windows® Active Directory® (AD) Domains, a random password is created and its hash is associated with the account. This allows the device (via the user's account) to use legacy authentication protocols such as NTLM to gain access to resources. In this case, the long random password is better than most user-chosen.

Date Published:

Last Reviewed: 22 November 2016

Identifier: ORN U/OO/803300-16

Creator: Dedicated Support Communicators

Dissemination Control: N/A

Length: 2 page(s)

Format: pdf

Type: Advisory/Alert; IA Technical Advisory

Tags: Advisory; Account; Password Vulnerability; Adversary; Malicious Actor; Smart Card