Login and Mimikatz

How Windows stores passwords

Let’s take a look at what happens when a user logs in. How does Windows know that you are who you say you are? You supply a password. But how does Windows know that it’s the right password? We saw in the cryptography chapter that systems that need to authenticate users should store password hashes, not the passwords themselves. Sure enough, Windows stores user password hashes, not the passwords themselves. Windows does this using a hashing algorithm called NTLM. Windows uses NTLM to generate a hash of the password that the user supplies at login time and compares it to the hash that’s been stored for that user. If it’s a local account, the known-good hash is stored on that computer. If it’s a domain account, then the computer will ask the domain controller whether the supplied hash is the right one.

When else is the password needed?

It’s needed when you access domain resources like shared drives. It would be awkward if you had to type in your password every time you accessed any domain resource. So Windows keeps your password hash in memory and sends it whenever you need to access domain resources. The domain controller verifies the password hash; and if it matches the domain controller grants access. This makes for a smooth user experience. But are there security implications? Well, one implication is that the password hash has to remain in memory. That implication is the basis for a tool called Mimikatz. ...