RE: Windows NTFS Authentication Caching

Date: 11/02/01

Message-ID: <>
To: 'leon' <>,,
Subject: RE: Windows NTFS Authentication Caching
Date: Fri, 2 Nov 2001 10:16:21 -0000 

I believe Carol means that they have an NT Box running IIS as their

IIS has been configured to require NT Challenge-Response Authentication, and
NOT to allow anonymous access or Basic HTTP authentication.

HTTPS is being used.

The question was whether logon information is cached on the home-users

My knowledge on this exact scenario is sketchy, I have never tried this
If the user is presented with a standard login box when they connect, this
will offer a "save password" box. If this is checked then the username /
password MUST be saved in some format.

As NT Challenge-Response is being used, the password is first converted to a
one-way hash. This hash is stored on the server. This is likely what is
stored on the client as it is obviously slightly more secure than a
plaintext password. The hash is then encrypted with the "challenge" sent by
the server, if the hash / challenge combos match on the server and client,
you are authenticated. This challenge should be unique and random -
generated for the HTTPS session you are login in over.

For standard windows 9x the passwords are stored IIRC in a *.pwl file in the
windows directory. These can be recovered, and there are free utilities to
do this - some viruses do this and email the lists home...

If the password is stored in the hash form, it is non-recoverable. However
you can brute force it - generate hashes until the same hash is produced -
you then know the password. If it is stored in the pwl file then the hash -
or plaintext, can be recovered.

So it would be possible for someone to gain login information if the home PC
is compromised. However if the home PC is compromised, then it would be
easier to have a keysniffer running than waste time brute forcing a hash.
But users do use the same passwords for many things - one of the simple ones
for dialup etc in the pwl files may be their work password...

Alex Collins

The information contained in this email is intended only for the
use of the intended recipient at the email address to which it
has been addressed. If the reader of this message is not an
intended recipient, you are hereby notified that you have received
this document in error and that any review, dissemination or
copying of the message or associated attachments is strictly

If you have received this email in error, please contact the sender
by return email or call 01793 877777 and ask for the sender and
then delete it immediately from your system.

Please note that neither Innogy nor the sender accepts any
responsibility for viruses and it is your responsibility to scan
attachments (if any).