An underlying issue is that Microsoft Active Directory does not support MFA of a... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

technion on Sept 16, 2022 | parent | context | favorite | on: Uber investigating breach of its computer systems

An underlying issue is that Microsoft Active Directory does not support MFA of any kind at all. That's why third party PAM vendors exist, but they don't really change the fact that you the most widely deployed authentication service in business is effectively run by password hashes. That's the whole reason we so commonly see the "mimikatz scraped a hash from RAM and it was all over" write up in incidents.

Smartcards exist, but their use is clunky in practice (I'm aware Yubikeys may now function this way). For everything else, Microsoft's current MFA solution is "just use the cloud".

uselpa on Sept 16, 2022 [–]

Worse: un-salted hashes.

mr_mitm on Sept 16, 2022 | [–]

Worst: The hashes are actually the passwords (for all services that allow NTLM authentication).

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact