Published on 11 Jun 2015
Administrator Password Security
The user’s password is never communicated over the network at login time. Instead, the password is used to create a non-reversible MD5 hash over the user’s login name and login time. The service looks up the user’s password from its database and then creates its own MD5 hash over the user’s login name and login time. If the two hash results match, then the client must have known the user’s password, therefore the login succeeds.
If the two hash results do not match, then the client did not know the user’s password and therefore the login fails. The client login time is used to prevent replay attacks involving playback of a sniffed MD5 hash result.
The only time a password is communicated over the network is when adding an account, or changing a password. In this case, the password is encrypted using triple DES encryption. The key for the encryption is the password of the current login user making the change.