It is not a 'cachedpassword' as the reg key name implies. It is an OWF
hash verifier of the password hash - it is not possible to reverse this
value to obtain either the LM or NTLM hashes, nor the clear-text password.

At 06:17 PM 2/18/2002 +0100, Varga Daniel (QI/RZS4) * wrote:
>Hi all,
>
>do you know, whether it is possible for an attacker to crack the cached
>credentials of a domain user on an offline notebook?
>
>I tried lsadump2 (http://razor.bindview.com/tools/desc/lsadump2_readme.html)
>but cannot judge whether this information is any useful for an attacker to
>get the cached password of a domain user. Does anyone of you?
>
>We plan to roll out EFS to secure our notebooks in case they get lost but as
>I see the security of EFS stands and falls with the security of the password
>of the user.
>
>Thanks,
>--
>Daniel

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]