See Us At TechEd 2012
June 11-14 in Orlando
President & CEO
If you are attending Microsoft TechEd in
year stop by our booth 813 to
see a few surprises. This year we are in a much
larger 20x20 booth with a theater area and four demo stations. We will
demonstrating both our IT administrator tools as well as the latest
version of our
privileged identity management solution.
From a technology point of view we will also be showing how
we have integrated business intelligence with privileged identity
and configuration management to provide you with unprecedented
into identity use and misuse.
As a special surprise, we will also show the new
multi-lingual capabilities of our 4.83.4 ERPM web interface. You will
web natively working in German, French, Spanish, Portuguese, Hungarian,
Chinese (simple and classic) and more. We will also introduce you to
our new any-language-in-a- day technology.
Stop by and win great prizes! We will be giving a away a Parrot
AR Drone 2.0 Quadricopter every day of the show. We will also be
away $50 Amex gift cards every 30 minutes at the end of each technical
Continuing From Last
Month… The Long Story of: Server-to-Server Password Synchronizer
Have you ever needed to keep a specific account and its
password in synch between un-trusted Windows forests, domains and
about keeping accounts and their passwords in sync between workstations
servers in a workgroup as well as between a domain and a workgroup?
We solved the problem of transparent password
synchronization between any combination of Windows systems in 1998 as
our work to develop a password synchronization system between IBM OS/2
1998 And Going Strong
The funny thing about the technology developed so long ago
(originally) is that it works as well then as it does now and supports
synchronization between the oldest Windows operating systems and the
recent version of Windows 2012 and Windows 8 for both 32-bit and 64-bit
The story about how we built this password synchronizer and
some of its interesting capabilities requires a little explanation
cryptography and tricks used for password authentication in Windows.
We used to sell a product called the “IBM
Server to Windows Migration Wizard” that allowed customers to
the 16/32 bit LAN Manager based network operation system to the new
a 32-bit operating system called Windows NT.
It turns out that both the IBM operating system LAN Server,
Microsoft LAN Manager and Windows NT all had very similar internal
cryptography. With that in mind we were able to create a great
for the times. But, customers wanted a way to keep their old IBM LAN
systems on line while they migrated, so we developed a tool to
password hashes between LAN Server and Windows NT. That is how
Password Synchronizer was built.
What’s A Hash?
To make it hard for the bad guys to figure out your
password, operating system vendors (and even application vendors)
passwords into a non-reversible but unique equivalent called a password
The password hash
is not the password, but a unique signature (typically 32 digit
number, but it can be longer or shorter) of that password that can be
For example, the calculated hash
hash) of the password: “password” is:
The cool thing about hashes is that if I change the password
just a little bit (say, change the “password” to “p@ssword” the hash
Looking at the two hashes, it is very hard to see that these
are the same password except for one character difference.
The other interesting thing about hashes is that they don’t
reflect the length of the password. For example, the password: “The
fox jumped over the lazy dogs back.” Has a hash of:
So whether I have a single character password or one that
has 127 characters, I will always get a hash of the same length.
When you logon to a Windows system, the password you type in
is converted to a 32-byte hash. This hash is then compared to the hash
away in the operating system for your account. If they match you get
Note that domain connected systems use a varied version of hash
but we won’t go into the details here.
For backward compatibility there can be two password hashes
stored for a single account. The first hash is known as an LM (Lan Manager) hash.
hash is for backward compatibility to Windows 3.1, Windows 95, Windows
Windows ME. In most modern versions of Windows this hash generation is
disabled and not allowed because the password hashes are not very
can be cracked easily with Rainbow
The second hash used by Windows is known as an NT or MD4 hash. The MD4 hash is
the only password stored for a user in Windows these days. In addition
hash of a password, a time and date stamp is also stored. The time
used to determine when it is time to change the password if a maximum
policy is in effect for the operating system.
How The Synchronizer
Works… Or Who Has The Best Hash?
It turns out that all Microsoft Windows workstations,
servers, and domain controllers, generate password hashes in the same
(internal encryption and storage vary between operating systems).
What our product Server-to-Server Password Synchronizer does
is contact all of the Windows machines you want synchronized, pulls in
password hashes of the accounts you want synchronized, gets the time
copies the best and most recent hash of a user to all the places where
is wrong and/or older.
Once the hashes are copied and identical in all places, a
user can logon with the same password in all the places you
Use Case: All
Password Hashes Synched
Consider how cool it would be to change a password on a
standalone server running a web site and have this password
propagate in other servers, domain controllers, workstations, or what
in just a minute or two. The reverse is also true, namely, you can
password in a domain controller, and have the hash synchronize to a
server in a DMZ that is not domain joined or connected to the main
Order Out of Chaos
One of my favorite things about Server-to-Server Password
Synchronizer is that it automatically fixes bad passwords and passwords
are out of synch without a user having to change their password to
synchronization. In other words, it creates order autonomously out of a
horribly chaotic set of passwords for users.
Hashes Into The
Believe it or not, the first version of Windows NT and the
versions of Windows all use the same password hash algorithms so they
interoperable with each other. Because the hashes are identical between
operating systems, our password synchronizer works beautifully even
What It Does Not Do
Operating systems such as mainframes, UNIX,
Linux and other types of operating systems all use hashes, but
hash algorithms incompatible with Microsoft Windows (i.e. MD5) to
their hashes. Because of this reason, hashes generated in Windows are
recognized in these other operating systems and vice-versa. For this
Server-to-Server Password Synchronizer is a Windows-only product.
Need To Synchronize
You can install and try Server-to-Server
Password Synchronizer for yourself for 30 days. You can synchronize
10 unique accounts over as many systems as you wish. So, if you want to
synching 2 accounts on 100 systems, you can do that for 30 days on our
prove to yourself how awesome having identical password hashes can
What do you think? Email me at: Phil@liebsoft.com.
You can also follow me on Twitter: @liebsoft
or connect with me via LinkedIn.