{
	"id": "8f925aa4-38b2-4a35-af8d-ee5b1dd44f43",
	"created_at": "2026-04-06T00:17:33.515245Z",
	"updated_at": "2026-04-10T03:21:10.380085Z",
	"deleted_at": null,
	"sha1_hash": "ff057c64281dade04d845d30286fd207c52f0b09",
	"title": "Store passwords using reversible encryption - Windows 10",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 39521,
	"plain_text": "Store passwords using reversible encryption - Windows 10\r\nBy vinaypamnani-msft\r\nArchived: 2026-04-05 12:37:40 UTC\r\nApplies to\r\nWindows 11\r\nWindows 10\r\nDescribes the best practices, location, values, and security considerations for the Store passwords using\r\nreversible encryption security policy setting.\r\nReference\r\nThe Store password using reversible encryption policy setting provides support for applications that use\r\nprotocols that require the user's password for authentication. Storing encrypted passwords in a way that is\r\nreversible means that the encrypted passwords can be decrypted. A knowledgeable attacker who is able to break\r\nthis encryption can then sign in to network resources by using the compromised account. For this reason, never\r\nenable Store password using reversible encryption for all users in the domain unless application requirements\r\noutweigh the need to protect password information.\r\nIf you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet\r\nAuthentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is\r\nused by remote access and network connections. Digest Authentication in Internet Information Services (IIS) also\r\nrequires that you enable this policy setting.\r\nPossible values\r\nEnabled\r\nDisabled\r\nNot defined\r\nBest practices\r\nSet the value for Store password using reversible encryption to Disabled. If you use CHAP through remote\r\naccess or IAS, or Digest Authentication in IIS, you must set this value to Enabled. This setting presents a security\r\nrisk when you apply the setting by using Group Policy on a user-by-user basis because it requires opening the\r\nappropriate user account object in Active Directory Users and Computers.\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption\r\nPage 1 of 3\n\nNote:  Do not enable this policy setting unless business requirements outweigh the need to protect\r\npassword information.\r\nLocation\r\nComputer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\\r\nDefault values\r\nThe following table lists the actual and effective default policy values. Default values are also listed on the\r\npolicy’s property page.\r\nServer type or Group Policy Object (GPO) Default value\r\nDefault domain policy Disabled\r\nDefault domain controller policy Disabled\r\nStand-alone server default settings Disabled\r\nDomain controller effective default settings Disabled\r\nMember server effective default settings Disabled\r\nEffective GPO default settings on client computers Disabled\r\nSecurity considerations\r\nThis section describes how an attacker might exploit a feature or its configuration, how to implement the\r\ncountermeasure, and the possible negative consequences of countermeasure implementation.\r\nVulnerability\r\nEnabling this policy setting allows the operating system to store passwords in a format that can weaken your\r\noverall security.\r\nCountermeasure\r\nDisable the Store password using reversible encryption policy setting.\r\nNote\r\nWhen policy settings are disabled, only new passwords will be stored using one-way encryption by default.\r\nExisting passwords will be stored using reversible encryption until they are changed.\r\nPotential impact\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption\r\nPage 2 of 3\n\nIf your organization uses CHAP through remote access or IAS, or Digest Authentication in IIS, you must\r\nconfigure this policy setting to Enabled. This setting presents a security risk when you apply the setting through\r\nGroup Policy on a user-by-user basis because it requires the appropriate user account object to be opened in\r\nActive Directory Users and Computers.\r\nPassword Policy\r\nSource: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encrypti\r\non\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption"
	],
	"report_names": [
		"store-passwords-using-reversible-encryption"
	],
	"threat_actors": [],
	"ts_created_at": 1775434653,
	"ts_updated_at": 1775791270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ff057c64281dade04d845d30286fd207c52f0b09.pdf",
		"text": "https://archive.orkl.eu/ff057c64281dade04d845d30286fd207c52f0b09.txt",
		"img": "https://archive.orkl.eu/ff057c64281dade04d845d30286fd207c52f0b09.jpg"
	}
}