Pass the hash
(also pass the hash attack)
Pass the hash definition
Pass the hash is a hacking technique that allows an attacker to use a hashed password without actually knowing the user’s plaintext password. Pass the hash attacks typically target Windows systems, but they can affect any server accepting LANMan or NT LAN Manager authentication.
See also: hashing, hash chain, hash function, cyberattack
How pass the hash works
For security, servers typically do not store plaintext passwords — they store password hashes instead. To authenticate users, they hash the plaintext password entered in the “Password” field and compare it to the password hash value stored on the system.
However, this also means that the password hash can be used in place of the user’s actual password. Once they’ve obtained the password hash (for example, by extracting it from the Windows SAM database or Active Directory), attackers can pose as legitimate users and move undetected through the system.
Stopping pass the hash attacks
- Use multi-factor authentication (such as an authenticator app) to prevent hackers from gaining access to your accounts with stolen password hashes.
- Change passwords regularly to limit how long their password hashes are active. Frequent password rotation greatly reduces the window of attack for hackers.
- Update your system frequently with the latest security patches to close off discovered vulnerabilities.
- Implement the principle of least privilege on your network by restricting user accounts to the minimum level of access required for their tasks. This helps limit the potential damage an attacker can cause with a stolen password hash.