alt Hacker NewsObviously RC4 itself isn't the problem. The problem is that Microsoft ships a "ciphersuite" that includes a bad password-based key derivation algorithm that also happens to be tied to a whole pile of bad cryptography. And the real, real problem is that Microsoft still ships a design in which low-entropy passwords can be misconfigured for use in encrypting credentials, which is a nightmare out of the 1990s and should have been completely disallowed in 2010.
But I'm not going to get particularly picky if people identify the bad ciphersuite by the shorthand "RC4", because even Microsoft does this: https://www.microsoft.com/en-us/windows-server/blog/2025/12/...
Replies
Are you referring to Windows Kerberos here or NTLM?
What are the bets that the NSA has been encouraging Microsoft to keep shipping this?
> But I'm not going to get particularly picky if people identify the bad ciphersuite by the shorthand "RC4", because even Microsoft does this
Microsoft is actually talking about RC4 there, the article is conflating NTLM and RC4 things together.