16 Mar
2017
16 Mar
'17
1:01 p.m.
On 16/03/2017 13:42, Alan DeKok wrote:
Anyone who can see the RADIUS packets can crack MS-CHAPv2 with small amounts of effort. In contrast, the PAP encryption in RADIUS has*zero* cracks after almost 25 years.
This is true. There is an operational reason why you still might want to use MS-CHAPv2 though, which is that it permits password expiry and password changing as part of the exchange. This can be quite a nice user experience, for those clients which support it anyway. It avoids having to rely on the user connecting to some other service to get prompted that it's time to change their password. I'm talking about MS-CHAPv2 inside TLS of course. Don't even think about PPTP across the open Internet :-) Regards, Brian.