![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 9%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,697 questions
Windows operating systems use a combination of hashing and salting techniques to securely store passwords. Here's a detailed overview of how Windows handles password storage, both for local accounts on workgroup computers and domain accounts on domain-joined computers.
1. Local Accounts on Workgroup Computers
Hashing and Salting:
- Windows uses a secure hashing algorithm to hash passwords. As of Windows Vista and later, the NTLM (NT LAN Manager) hash is used.
- NTLM hashes are unsalted by default, which means the same password will always produce the same hash. This can make them vulnerable to precomputed attacks (like rainbow tables), but Windows mitigates this with additional security measures like account lockout policies and password complexity requirements.
Storage Location:
- Password hashes for local accounts are stored in the Security Account Manager (SAM) database.
- The SAM database is located in the Windows directory at
C:\Windows\System32\config\SAM. - The SAM file is protected by the operating system and cannot be accessed while Windows is running. It is also encrypted to prevent unauthorized access.
2. Domain Accounts on Domain-Joined Computers
Hashing and Salting:
- For domain accounts, Windows uses the Kerberos protocol for authentication, which relies on a combination of NTLM hashes and Kerberos tickets.
- The NTLM hashes are used as part of the Kerberos authentication process, but they are not directly used for authentication in most cases.
- Domain passwords are hashed using the same NTLM algorithm and stored in the Active Directory database.
- Active Directory can use additional encryption and hashing mechanisms, including salting, depending on the configured policies and the version of Windows Server.
Storage Location:
- Password hashes for domain accounts are stored in the Active Directory database, which is hosted on the Domain Controllers (DCs).
- The Active Directory database is stored in the
NTDS.ditfile, typically located atC:\Windows\NTDS\NTDS.diton the domain controller. - The
NTDS.ditfile is protected by the operating system and includes additional security features, such as encryption and access control.
Additional Security Measures
LSA Secrets:
- Windows also uses Local Security Authority (LSA) secrets to store sensitive information, including cached domain credentials.
- LSA secrets are stored in the registry under
HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets. - Access to LSA secrets is tightly controlled by the operating system.
Credential Guard:
- Windows 10 and Windows Server 2016 introduced Credential Guard, which uses virtualization-based security to isolate and protect credentials.
- Credential Guard helps protect against credential theft attacks, such as Pass-the-Hash (PtH) and Pass-the-Ticket (PtT).
By understanding these mechanisms, you can better appreciate the security measures Windows implements to protect user passwords and credentials.