How do I turn off reversible password encryption?

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> “Store passwords using reversible encryption” to “Disabled”.

Should you store passwords using reversible encryption?

It’s not recommended to store password using reversible encryption for all users in the Domain policy. The advantage is that this policy provides support for applications which require knowledge of the user’ password for authentication purposes.

What is a reversible password?

Updated on December 23, 2019. Enabling Store Passwords Using Reversible Encryption determines whether Windows stores passwords using reversible encryption. Enabling this is essentially the same as storing passwords in plain text which is insecure and not recommended.

Why would you not want to store passwords using reversible encryption?

Reversible encryption is not commonly used for passwords because the specific requirements and parameters of password authentication are incompatible with the weakness of reversible encryption. The primary weakness of reversible encryption is simple: if the key is compromised, the encrypted data is compromised, period.

What does it mean to store passwords with reversible encryption?

The Store password using reversible encryption policy setting provides support for applications that use protocols that require the user’s password for authentication. Storing encrypted passwords in a way that is reversible means that the encrypted passwords can be decrypted.

Are there reversibly encrypted passwords in Active Directory?

“””The user could not be authenticated using Challenge Handshake Authentication Protocol (CHAP). A reversibly encrypted password does not exist for this user account. To ensure that reversibly encrypted passwords are enabled, check either the domain password policy or the password settings on the user account.

Do you need to enable reversible encryption in IIS?

Digest Authentication in Internet Information Services (IIS) also requires that you enable this policy setting. Set the value for Store password using reversible encryption to Disabled. If you use CHAP through remote access or IAS, or Digest Authentication in IIS, you must set this value to Enabled.

Do you need a public key for reversible encryption?

In order to support the reversible encryption (not necessarily symmetric as @goenfawr notes ), you need at least one key (two for public key cryptography). You need to generate the key, store it securely, protect it from corrupt or destruction, retrieve it for use, protect it while it is in use, and periodically replace it.