Aside from the lack of password security, NTLM has several other behaviors that make it a hacker’s paradise. First, it doesn’t require any local connection to a Windows Domain. Also, it is needed when using a local account and when you don’t know who the intended target server is. On top of these weaknesses, it was invented so long ago — indeed before Active Directory was even considered — that it doesn’t support modern cryptographic techniques, making its simple unsalted hashing system trivially easy to break and decode.
Kerberos versus NTLM
Those modern techniques are thankfully part of the Kerberos protocols, which is what Microsoft has been trying to replace NTLM with over the past several years. Since Windows Server 2000, it has been the default choice for authentication. “NTLM relies on a three-way handshake between the client and server to authenticate a user,” wrote Crowdstrike’s Narendran Vaideeswaran in a blog in April 2023. “Kerberos uses a two-part process that leverages a ticket granting service or key distribution center.” That ticketing process means that Kerberos is secure by design, something that never could be claimed for NTLM.
One of the reasons for NTLM’s enduring reign is that it was easy to implement. This is because when Kerberos (or something else) didn’t work properly, NTLM was the fallback choice, which means if a user or an app tries to authenticate with Kerberos and fails, it automatically (in most cases) tries to use NTLM protocols. “For example, if you have workgroups with local user accounts, where the user is authenticated directly by the application server, Kerberos won’t work,” wrote TechRepublic. Microsoft has said that local users still make up a third of NTLM usage, one of the reasons why Microsoft wants to maintain its older systems. Another pain point is the protocol used to implement Remote Desktop Services, which can often fallback to NTLM. However, “Microsoft supports legacy security configurations long past their expiration dates,” writes Adrian Amos in a blog post from November 2023.
