RE: Cached Domain Password on Notebook, secure?

From: Gino Genari (
Date: 02/25/02

From: "Gino Genari" <>
To: <>, <>, <>
Date: Mon, 25 Feb 2002 15:19:03 -0500

What exactly are you trying to protect against? If you are only worried
about the domain accounts, that is one thing. If you are trying to protect
information on the notebook itself, that is another. If someone lost their
notebook, resetting their password on the domain would make cracking their
cached password useless.
If you are trying to protect the notebook, utilities like ERD Commander can
reset the local administrator password without knowing the previous one.

I have never tried to use EFS to encrypt the entire disk, so can not give
you any information on that, or if ERD could still reset the ADMIN password
with that setup.

In my opinion, they way to protect both would be to use a tool like
Safeboot, that encrypts the entire disk outside of the OS.

If software purchase is out of the question, please excuse my ramblings.


-----Original Message-----
From: []
Sent: Sunday, February 24, 2002 5:43 PM
Subject: RE: Cached Domain Password on Notebook, secure?

My philosphy is that until someone actually releases a tool to crack the
cached passwords then they are reasonably secure as someone is going to have
to go through a lot of effort to obtain the password including writing the
algorithm to
crack it!

Does anyone know of any tools to brute force the "cached" passwords?

I have looked and have failed to find any tools to do this. I also wonder
how computationally expensive the generation of the hash verifier is?


-----Original Message-----
From: Eric []
Sent: Wednesday, 20 February 2002 5:20 AM
To: Varga Daniel (QI/RZS4) *; ''
Subject: Re: Cached Domain Password on Notebook, secure?

It is not a 'cachedpassword' as the reg key name implies. It is an OWF
hash verifier of the password hash - it is not possible to reverse this
value to obtain either the LM or NTLM hashes, nor the clear-text password.

At 06:17 PM 2/18/2002 +0100, Varga Daniel (QI/RZS4) * wrote:
>Hi all,
>do you know, whether it is possible for an attacker to crack the cached
>credentials of a domain user on an offline notebook?
>I tried lsadump2
>but cannot judge whether this information is any useful for an attacker to
>get the cached password of a domain user. Does anyone of you?
>We plan to roll out EFS to secure our notebooks in case they get lost but
>I see the security of EFS stands and falls with the security of the
>of the user.

Relevant Pages

  • Re: [Full-Disclosure] Sasser author
    ... there are designs that protect against infections ... > 3) Manager insist that his notebook should not be ...
  • Re: Compaq Presarion Notebook
    ... Compaq Presario R3060US notebook PC: ... Protect your PC! ... "Jack Gillis" wrote in message: ...