Forgot your password?
Close
typodupeerror
Security Microsoft IT

To Pressure Security Professionals, Mandiant Releases Database That Cracks Weak NTLM Passwords in 12 Hours (arstechnica.com) 34

Posted by EditorDavid from the keys-to-the-kingdoms dept.
Ars Technica reports: Security firm Mandiant [part of Google Cloud] has released a database that allows any administrative password protected by Microsoft's NTLM.v1 hash algorithm to be hacked in an attempt to nudge users who continue using the deprecated function despite known weaknesses.... a precomputed table of hash values linked to their corresponding plaintext. These generic tables, which work against multiple hashing schemes, allow hackers to take over accounts by quickly mapping a stolen hash to its password counterpart... Mandiant said it had released an NTLMv1 rainbow table that will allow defenders and researchers (and, of course, malicious hackers, too) to recover passwords in under 12 hours using consumer hardware costing less than $600 USD. The table is hosted in Google Cloud. The database works against Net-NTLMv1 passwords, which are used in network authentication for accessing resources such as SMB network sharing.

Despite its long- and well-known susceptibility to easy cracking, NTLMv1 remains in use in some of the world's more sensitive networks. One reason for the lack of action is that utilities and organizations in industries, including health care and industrial control, often rely on legacy apps that are incompatible with more recently released hashing algorithms. Another reason is that organizations relying on mission-critical systems can't afford the downtime required to migrate. Of course, inertia and penny-pinching are also causes.

"By releasing these tables, Mandiant aims to lower the barrier for security professionals to demonstrate the insecurity of Net-NTLMv1," Mandiant said. "While tools to exploit this protocol have existed for years, they often required uploading sensitive data to third-party services or expensive hardware to brute-force keys."
"Organizations that rely on Windows networking aren't the only laggards," the article points out. "Microsoft only announced plans to deprecate NTLMv1 last August."

Thanks to Slashdot reader joshuark for sharing the news.
This discussion has been archived. No new comments can be posted.

To Pressure Security Professionals, Mandiant Releases Database That Cracks Weak NTLM Passwords in 12 Hours More

To Pressure Security Professionals, Mandiant Releases Database That Cracks Weak NTLM Passwords in 12 Hours

Comments Filter:

  • Good grief (Score:3)

    by 93 Escort Wagon ( 326346 ) on Saturday January 17, 2026 @06:30PM (#65931942)

    Hasn't Microsoft itself disabled NTLM version 1 by default for something like a decade?

  • But also there is no reason to release this to script kiddies to run amok.

    • But also there is no reason to release this to script kiddies to run amok.

      Release? If that was a joke, it certainly wasn’t too soon. I guess you could say I’m not too concerned about a script L0phtcrack was running endless trains on last fucking century.

      Anything less than a salted passphrase is the equivalent of grow the fuck up in the 21st Century. We can either accept and teach that fact, or we can watch our loved ones get pwned in the worst ways with AI-enhanced shitware, coming soon.

  • Seems slow (Score:1)

    by Anonymous Coward
    I'd hope it's sub-second: DES and MD4 hashes, and you're giving us precalculated rainbow tables.

  • NTLMv1? (Score:3)

    by magamiako1 ( 1026318 ) on Saturday January 17, 2026 @10:03PM (#65932178)
    For what it's worth, in every environment I've ever been in, the only reason NTLM still exists is to support Linux/Open-Source systems that aren't "joined to the domain" and any isolated environment that also wasn't "joined to the domain" for "cybersecurity reasons" but still needed access to an SMB share.

    That's pretty much it.

    • Re: (Score:2)

      by Bert64 ( 520050 )

      It's a case of "adequate for now"...
      So long as NTLMv1 and other legacy junk is still supported (especially without throwing up prominent warnings) then third party vendors don't see the need to support newer more secure protocols. It's easier for them just to support the old junk and get maximum compatibility that way.

      The only way the commercial world ever moves forward is when forced, which pretty much means aggressive in your face warnings followed by total removal of support, or things like government or

      • I mean, NTLMv1 is basically pushed to be eliminated across most basic security hardening of any Windows AD domain in existence. If you deploy CIS Benchmarks or STIGs, you're nuking NTLMv1 right out the gate and none of this applies.

        Now, as far as NTLMv2 versus Kerberos usage, Microsoft is working to purge NTLM entirely from Windows by using things like local KDCs and such on Windows systems. I don't think this full platform is deployed yet. But that'll eliminate NTLM entirely from Windows.

        As far as Kerberos

    • For what it's worth, in every environment I've ever been in, the only reason NTLM still exists is to support an executives decision to be a greedy cheap ass and never invest properly to eliminate legacy systems.

      FTFY. Just in case anyone was wondering as the the actual reason and root cause.

      My fix is simple. Re-configure the system that processes executive bonuses with NTLMv1. You’ll have a state-of-the-art replacement for every legacy auth excuse within a fiscal quarter.

  • posting to undo an undeserved mod up.

    • posting to undo an undeserved mod up.

      Does it give you back your mod points?

      • it seems to have, either that or they just reset again to full mod points. Not that that was my concern, I hate modding up some dingus I intended to mod down for idiocy.

  • the number one use case of NTLMv1 (Score:4, Informative)

    by AnnoyingBastard ( 8138122 ) on Sunday January 18, 2026 @02:36AM (#65932392)
    RADIUS using MSCHAPv2 authentication is the number one use case of NTLMv1 in the IT infrastructure of organizations. While it's very doable (and strongly recommended) to switch to X.509-based auth for wireless auth, typically username/password auth remains in use to administrate switches, routers and other physical network devices. Microsoft even excludes MSCHAPv2 for RADIUS from the NTLMv1 depracation timeline and MS NPS has a registry setting to allow keep using NTLMv1 even when it has been 'disabled' on the domain controller.

  • This whole argument is around "what if your password database is compromised"?

    Well shit - if your most protected file is compromised, what exactly are you protecting?

    Passkeys are better, because there is not hash to compromise. It is inherently safe against this attack, and anybody not using passkeys is not taking security seriously.

    • Fuck passkeys.

      They are just Yet Another Password Mechanism(YAPM) to setup and then support when it falls out of favor in a few months time. It's just the latest iteration of standards as has been mocked by the 15 year old XKCD 927 on Standards. [explainxkcd.com]

      Absolutely nothing has bee eliminated not password, not TOTP, not even NTLMv1. We've simply broadened the attack surface by miles. Passwords, SMS and eMail OTP, TOTP, biometrics... We still have to deal with and defend all of them and now we also have to deal with FID

    • Re: (Score:2)

      by gweihir ( 88907 )

      Passwords are very much NOT obsolete. All alternatives suck and are worse in some aspects that matter. Yes, 2FA is a thing, but one factor will typically be a password. And, if done right (so NOT how the assholes at Microsoft do it with independent verification of each factor, and NOT with enforced time-based changes), that password provides real additional security.

    • So far, every system that I have seen that implements passkeys, also allows for passwords. So even if I setup a passkey, if the password database gets compromised, having a passkey doesn't protect me. Passkey's are great, if I'm only ever going to use one device for my entire life. But that's not even close to realistic. Migrating passkeys from one device to another is either impossible, or very complex. I do like how passkeys are designed where the server sends a message, the client transforms the message
  • How dos it get multiple tries ?

  • Why does it take so long?

    Using Rainbow Tables, it should be a near instantaneous lookup.

  • The people making this decision do not understand the amount of legacy stuff running in the world. Some of that stuff is not easy to replace, and a simple upgrade is not an option. Yes, risks should be mitigated with isolation as much as possible. Not like companies are just saying screw it we don't need to do this, sometimes the barriers outweigh the costs. And a layered defense is a worthwhile calculated risk. Making it easier to break into is not the way to improve this.

    • Re: (Score:2)

      by gweihir ( 88907 )

      Au contraire. This is an overdue move. If you really need to run insecure stuff, place it behind a gateway that adds the security. If you do not do that, YOU are the problem.

  • "Imposter", "incompetent", "noob", etc. would go with NTLM.v1 ...

  • A rainbow table for NTLMv1
    How novel... NOT!

Slashdot Top Deals

In any problem, if you find yourself doing an infinite amount of work, the answer may be obtained by inspection.

Close