Active Directory reversible encryption explained

If you have administered password policies in Active Directory or looked at the local policies present in the Windows client operating system, you may have noticed an interesting setting contained in the Account policies section. The setting is Store passwords using reversible encryption. What is this setting, and why would you use it?

Store passwords using reversible encryption properties

What is the ‘store passwords using reversible encryption’ setting? 

‘Store passwords using reversible encryption’ is a policy setting within Active Directory that determines whether passwords are stored in a way that uses reversible encryption. It stores the passwords using a reversible encryption scheme that can be provided during the authentication process. Active Directory supports legacy applications that needed passwords in the clear-text form to function. 

This policy is required when using some third party apps, but most commonly required with Challenge-Handshake Authentication Protocol (CHAP) authentication through remote access or Internet Authentication Services (IAS). It is also required when using Digest Authentication in Internet Information Services (IIS). 

Why would you enable Active Directory reversible encryption?

The policy setting can apply to applications that use protocols that require knowledge of the user’s password in cleartext. By default, the user’s password history is non-reversibly encrypted, although, there are a couple of use cases that may require reversible encryption. To support some applications and their authentication, Microsoft permits the ability to store passwords using reversible encryption due to their required knowledge of the user passwords. 

There are a couple of use cases where this setting would be enabled in Active Directory, for example:

  • Challenge Handshake Authentication Protocol (CHAP) for remote access or Internet Authentication Services (IAS)
  • Internet Information Services (IIS) Digest Authentication
  • Running Specops Password Policy on Active Directory 

With the above use cases mentioned, organizations will want to treat this setting with tremendous care as there are significant security implications from its enablement.

It is strongly recommended that organizations only enable reversible encryption if they are confident their Domain Controllers are secure. 

Continuous Scan Password Policy icon
Enforce Stronger Passwords While Continuously Blocking 4 Billion+ Compromised Passwords in Active Directory

Considerations when enabling and disabling reversible encryption

If your organization must enable this setting in Active Directory, there are a few guidelines to follow. These include:

  1. Make sure enabling the setting is necessary for your business.
  2. Use group policy to apply the setting to specific users granularly and not at the domain level for everyone.
  3. Keep in mind that if you enable the setting and then disable it, only new passwords will be stored using one-way encryption by default. Existing passwords will be stored using reversible encryption until they are changed.

Increasing the strength of Active Directory passwords

Organizations need to ensure that they have strong password policies in place for Active Directory. Aside from following best practice recommendations, there are other factors that can bolster password hygiene in the environment. These include checking the environment for breached passwords and proactive monitoring for these types of passwords.

Specops Password Policy and the Breached Password Protection service provide organizations with the automation needed to strengthen their password security posture. The solution blocks the use of a growing list of more than 4 unique known compromised passwords, found in data leaks, malware botnets, and live attacks via the Specops honeypot system. 

Configuring breached password protection in Specops Password Policy

Learn more about Specops Password Policy and download a free trial version.  

(Last updated on November 14, 2024)

brandon lee writer

Written by

Brandon Lee

Brandon Lee has been in the industry 20+ years, is a prolific blogger focusing on networking, virtualization, storage, security & cloud, and contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

Back to Blog

Related Articles

  • Self-service encryption key recovery for BitLocker

    Stockholm, June 19, 2019 – Specops Software announced today a new release of Specops Key Recovery. The solution now provides self-service key recovery for devices encrypted with BitLocker. This allows users to unlock their devices with multi-factor authentication, without calling the helpdesk. “BitLocker is used by the majority of organizations running on Windows” said Lori…

    Read More
  • Unencrypted biometrics reveal massive risk

    Security researchers gained access to more than 27.8 million records, including fingerprints, facial recognition data, usernames and passwords, in the mostly unencrypted and unhashed Biostar 2 database. Biostar 2 is a web-based biometrics locking system used for physical security when granting access to buildings. The breach in effect provides hackers with access to user accounts…

    Read More
  • What are the benefits of Full Disk Encryption

    Encryption at the hardware level is great addition to any security portfolio, but it must be enabled with care and consideration.

    Read More