How passwords are stored in Active Directory

  • Last Post 01 February 2012
BrianB posted this 01 February 2012

Our security dept is asking questions about how passwords are stored and encrypted in AD and what algorithm is used for encryption.

I found a few good articles but nothing that tells me what cryptography is used. Does anyone know this information?

Brian Britt
Directory Services Specialist
Vanderbilt University
Information Technology Services
Office: (615) 322-4676
OCS: (615) 875-9858

Order By: Standard | Newest | Votes
bdesmond posted this 01 February 2012

Take a look at the attached message sent to this alias a few weeks ago.

Brian Desmond

w - 312.625.1438 | c - 312.731.3132


chriss3 posted this 01 February 2012

This dose only apply to in-memory storage of the password hashes aka in lsass - they are much more protected on the DB/Storage layer, see the earlier post that Brian Desmond refers to.

Enfo Zipper
Christoffer Andersson - Principal Advisor


skradel posted this 01 February 2012

Is there any information publicly available about the cryptographic
protocols, key management and derivation, cipher modes, etc.? Just knowing
that the secret data are encrypted with a per-machine key, which key is
itself somehow enciphered based on some registry value, leaves a lot of
mystery in the air.



esf posted this 01 February 2012

With more data about the threats your sec dept is worried about we might be able to more specifically comment...

I've been asked this question many times over the years and rarely is password storage the actual issue at hand. Usually it is something else entirely and password storage is only a layer of indirection. With the right question in hand we can probably best guide you from here.