Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

As a pentester kerberosting used to reveal a service password on about 50% of networks on the 2010s when admins were making the passwords. Today our advice to clients on kerberosting is the same as it was back then, use a password manager to generate a 21 character password for all service accounts and disabled RC4 where possible. 52^21 is quite a large key space and even at 10^10 guesses per second over a year your chances are less than 1 in a billion of a successful crack.


> disabled RC4 where possible

I'm curious. Under what circumstances would it be _not_ possible to disable RC4?

Is this in case there is a Windows 98 machine running somewhere in the network?


In my experience it's always been legacy hardware or industrial automation where it would cost millions to update the equipment / software. Simply limiting the blast radius of those systems and isolating them on the network into their own security zone is always less expensive and thus the perfectly reasonable solution.


Cheap Cloud storage has never returned rainbow tables to viability, right? I stopped checking sometime after I got out of the space.


salting defeats the rainbow table, kerberos uses PBKDF2 that defeats the rainbows




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: