Dan Bailey writes: # No, but they're doing something that makes me very uncomfortable: As # I read this, they're hashing the password and some other user # information using MD4 then doing some proprietary permutations on # that. Given their record with security, I'd rather they used straight # MD4, rather than throwing in something that we can't analyze. I don't quite agree with the last part. It might be educational to do a spot of cryptanalysis in an attempt to determine the nature of the proprietary algorithm used. It wouldn't be "cracking" the password protection, but I think the general effort to "out" proprietary crypto algorithms is productive, particularly in the case of major software packages. Microsoft Knowledge Base article Q102716 says:
Storage of the Passwords in the SAM Database [...] The second encryption is decryptable by anyone who has access to the double-encrypted password, the user's RID, and the algorithm. The second encryption is used for obfuscation purposes.
Anyone feel like putting together some sample plaintext/ciphertext pairs ? -Futplex <futplex@pseudonym.com>