There are so many problems with this article and the previous one it references (How weak passwords and other failings led to catastrophic breach of Ascension).<p>Specifically, RC4 is a stream cipher. Yet, much of the discussion is around the weakness of NTLM, and NTLM password hashes which use MD4, a hash algorithm. The discussion around offline cracking of NTLM hashes being very fast is correct.<p>More importantly though, the weakness of NTLM comes from a design of the protocol, not a weakness with MD4. Yes MD4 is weak, but the flaws in NTLM don't stem specifically from MD4.<p>Dan Goodin's reporting is usually of high quality but he didn't understand the cryptography or the protocols here, and clearly the people he spoke to didn't help him to understand.<p>EDIT: let me be more clear here. MS is removing RC4 from Kerberos, which is a good thing. But the article seems to confuse various NTLM authentication weaknesses and past hacks with RC4 in Kerberos.
Obviously RC4 itself isn't the problem. The problem is that Microsoft ships a "ciphersuite" that includes a bad password-based key derivation algorithm that also happens to be tied to a whole pile of bad cryptography. And the <i>real, real</i> problem is that Microsoft still ships a design in which low-entropy passwords can be misconfigured for use in encrypting credentials, which is a nightmare out of the 1990s and should have been completely disallowed in 2010.<p>But I'm not going to get particularly picky if people identify the bad ciphersuite by the shorthand "RC4", because even Microsoft does this: <a href="https://www.microsoft.com/en-us/windows-server/blog/2025/12/03/beyond-rc4-for-windows-authentication" rel="nofollow">https://www.microsoft.com/en-us/windows-server/blog/2025/12/...</a>
> But I'm not going to get particularly picky if people identify the bad ciphersuite by the shorthand "RC4", because even Microsoft does this<p>Microsoft is actually talking about RC4 there, the article is conflating NTLM and RC4 things together.
Are you referring to Windows Kerberos here or NTLM?
What are the bets that the NSA has been encouraging Microsoft to keep shipping this?
Low.<p>While the NSA would, absolutely, use it to elevate existing internal access - it is such low-hanging fruit that they have enough alternative tools in their arsenal that it isn't a particularly big loss. Most of their competent adversaries disabled it years ago (as has been best-practice since 2010~).<p>More likely, it is Microsoft's obsession with backwards compatibility. Which while a great philosophy in general has given them a black eye several times before vis-a-vis security posture.
Given the time it's been since deprecated, I'm assuming most older versions of Windows since 2000 and Samba have long since supported more secure options... though from some comments even the more secure options are relatively weak by today's standards as well.<p>Aside: still hate working in orgs where you have a password reset multiple times a year... I tend to use some relatively long passphrases, if not the strongest possible... (ex: "ThisHasMyNewPassphrase%#23") I just need to be able to remember it through the first weekend each time I change without forgetting the phrase I used.
Depending on your organization, it can sometimes help to point the right compliance person to the latest NIST guidelines, specifically:<p><a href="https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver" rel="nofollow">https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver</a><p>> Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically. However, verifiers SHALL force a change if there is evidence that the authenticator has been compromised.<p>One of the nice cases where it can be helpful that standards themselves, which you can point to, have said to stop doing that.
Unfortunately, not all guidelines have caught up. PCI-DSS still requires password changes every 90 days for anything in scope (the cardholder data environment, anything that might even remotely touch payment card data).
I mean this is what I use 1password for.
How did RC4 become so widespread when it came from a leak? Additionally, why was it the de facto standard stream cipher in the 90s, even though it was known to be flawed? Just the speed?
Because "everybody uses RC4" (the sibling comment from dchest is correct). There was a lot of bad cryptography in that period and not a lot of desire to improve. The cleanup only really started in 2010 or thereabouts. For RC4 specifically, its was this research paper: <a href="https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_alfardan.pdf" rel="nofollow">https://www.usenix.org/system/files/conference/usenixsecurit...</a> released in 2013.
It's fast, easy to implement, has very concise code, takes any key length up to 256 bytes, comes from a famous cryptographer, and there weren't a lot of alternatives.
RSA was still selling RC4 into the mid-2000s as a product. While open source variants of RC4, often trying to avoid the RSA trademark by calling it things like ARCFOUR, started trading in the 1990s, there was still a <i>sense</i> that RC4 was backed by a security company.<p>Also, even though flaws were discovered as early as the open source variants had reverse engineered the RC4 algorithm, it was one of those "flaws exist but need things to exploit them that are out of our current threat models" problems, with it being a multi-stage, multi-year effort from the earliest flaw discoveries in the 90s to the most devastating exploits being developed around 2013-2015 taking advantage of those flaws in reproducible ways.<p>I also remember in the 90s it felt like the reverse engineered, open source efforts were once shining beacons of hope like PGP of releasing "enterprise grade" security algorithms from trade secret-protected corporate and governmental interests to "the common people". RC4 was simple to implement and easy to reason about, but gave "good enough" security for a lot of uses, certainly far better than "no security unless you pay a company like RSA and only if you don't plan to export your software outside of the US". That's why RC4 was the basis of a 90s idea called CipherSaber [1] about the idea of being able to implement your own security suite that you controlled and companies couldn't take from you.<p>Of course, things have shifted so much since the 90s when security suites were trade-protected and export-controlled. The security through obscurity of the algorithms involved behind trade secrets laws is no longer seen as an advantage and the algorithm being public knowledge has started to be a part of security suite threat models. Today's advice is never write your own security suite because there are several well regarded open source suites that have many eyes on them (and subsequently vulnerability plans/mitigations). Governments in the internet age have had to greatly relax their import/export controls on cryptography. We live in a very different world from the world RC4 was originally intended to secure.<p>[1] <a href="https://en.wikipedia.org/wiki/CipherSaber" rel="nofollow">https://en.wikipedia.org/wiki/CipherSaber</a>
I think this is a really good question, for what it's worth. Best I can come up with is that, at the time, our block cipher blocks were mostly 8 bytes wide, which doesn't leave a lot of headroom for CTR.
Source: <a href="https://www.microsoft.com/en-us/windows-server/blog/2025/12/03/beyond-rc4-for-windows-authentication" rel="nofollow">https://www.microsoft.com/en-us/windows-server/blog/2025/12/...</a>
The common asrep roast kerberos etype I see now is aes/18 (<a href="https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml" rel="nofollow">https://www.iana.org/assignments/kerberos-parameters/kerbero...</a>).<p>I was looking at this guy's benchmark here: <a href="https://gist.github.com/Chick3nman/32e662a5bb63bc4f51b847bb422222fd" rel="nofollow">https://gist.github.com/Chick3nman/32e662a5bb63bc4f51b847bb4...</a><p>Etype 23 (rc4-hmac) gets ~3500 kH/s, 18 (aes256-cts-hmac-sha1-96) gets roughly 2500 kH/s. Big difference, but somehow I thought it would be much bigger? 2.5M guesses/second is still not so bad.<p>I've done kerberoasting and aseproasting a handful of times only, but from what I recall, RC4 can be cracked within reasonable time regardless of your password complexity. But with AES if you have a long and complex service account password, it will take decades/centuries to crack. But (!!) it is still quite common to use relatively weak passwords for service accounts, a lot of times the purpose of the service is included in the password so it makes guessing a bit easier.<p>My criticism is that Kerberos (as far as I'm aware) does not provide modern PBKDFs (keyed argon2?) that have memory-hardness in place. That might be asking too much, so why doesn't Microsoft alert directory administrators (and security teams) when someone is dumping tickets for kerberoasting by default? It's not common for any user or service to request for tickets for literally all your service accounts. Lastly, Microsoft has azure-keyvault in the cloud, but they're so focused on cloud, they don't have an on-prem keyvault solution. If a service account is compromised, you still have to find everything that uses it and change the password one by one. Where if there was a keyvault-like setup, you could more easily change passwords without causing outages.<p>Rotating the KDC/krbtgt credential is also still a nightmare.<p>From what bits I've heard, Microsoft expects its users to be using EntraId instead of on-prem domains (computers joined directly to entra-id instead of domain controllers). That's a nice dream, but in reality 20 years from know there will still be domain controllers on enterprise networks.
> I've done kerberoasting and aseproasting a handful of times only, but from what I recall, RC4 can be cracked within reasonable time regardless of your password complexity<p>That's not quite right. If the password is sufficiently strong, you won't crack it even when RC4 is used. The password space is infinite.<p>You might be thinking of the LM hash, where you are guaranteed to find the password within minutes, because the password space is limited to 7 character passwords.<p>> Rotating the KDC/krbtgt credential is also still a nightmare.<p>I also disagree there. Just change it exactly once every two weeks or so. Just don't do it more than once within 10 hours. See: <a href="https://adsecurity.org/?p=4597" rel="nofollow">https://adsecurity.org/?p=4597</a><p>What I wonder is why Windows isn't changing it itself every 30 days or so, just like every computer account password.<p>> why doesn't Microsoft alert directory administrators (and security teams) when someone is dumping tickets for kerberoasting by default?<p>Good question. Probably because they want you to license some Defender product which does this.
Reasonable! Anyone who cares about AD security has been AES-only for <i>at least</i> a year now, and most likely much longer, and it's not like these mitigations are especially hard, <i>unless</i> you're still running some seriously obsolete software.
Microsoft does not have the power to stop me from using this cipher.
"RC4, short for Rivist Cipher 4". No, "Ron's Code 4".<p>And the default will now be AES-SHA1, where SHA-1 is to be deprecate by NIST in 2030. (<a href="https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm" rel="nofollow">https://www.nist.gov/news-events/news/2022/12/nist-retires-s...</a>)
SHA1 as a MAC for AES encryption is different from SHA-1 as a hash algorithm and remains secure, though there are of course better alternatives.
Ronald's Kryptosystem 4