Logon Without Password Caching

TL;DR

Yes, accounts can still be logged onto even if password caching is disabled, but it depends on how the system is configured. Modern systems rely on other methods like Kerberos or NTLM authentication and hashing algorithms to verify passwords without storing them in plain text or a readily cacheable format.

Understanding Password Caching

Password caching (also known as credential caching) stores user credentials temporarily to avoid repeatedly prompting for usernames and passwords. While convenient, it presents security risks if compromised. Disabling password caching increases security but doesn’t eliminate the possibility of logon.

How Logon Works Without Password Caching

1. Kerberos Authentication: This is a network authentication protocol that uses tickets to verify user identity without transmitting passwords over the network. If Kerberos is enabled, users obtain a ticket granting them access to resources.
2. NTLM Authentication: An older protocol used in Windows domains. NTLM uses hashing algorithms to authenticate users. While less secure than Kerberos, it still doesn’t rely on storing passwords directly.
3. Hashing Algorithms: Systems store a hash of the password (a one-way function) instead of the actual password. When you enter your password, the system hashes it and compares it to the stored hash. If they match, you are authenticated. This is standard practice even with caching disabled.
4. Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring a second form of verification (e.g., a code from your phone). It works independently of password caching.

Checking Password Caching Settings

The method for checking and disabling password caching varies depending on the operating system.

Windows

1. Group Policy: The most common way to manage password caching in a domain environment.
   • Open Group Policy Management (gpedit.msc).
   • Navigate to Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.
   • Check the settings for ‘Maximum password age’ and ‘Minimum password length’. These don’t directly control caching, but affect security overall.
   • To disable credential caching specifically, you may need to adjust policies related to Kerberos or NTLM authentication.
2. Registry: You can modify the registry (use with caution!).
   • Open Registry Editor (regedit).
   • Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa.
   • Look for a value named ‘DisableCredentialCaching’. Setting this to 1 disables caching.

Linux

Password caching settings are typically managed through PAM (Pluggable Authentication Modules) configuration files.

1. PAM Configuration: Edit the relevant PAM configuration file (e.g., /etc/pam.d/common-auth).
   • Look for modules related to caching, such as pam_unix.so or similar.
   • Adjust the module parameters to disable caching if it’s enabled. The specific configuration will vary depending on your Linux distribution and PAM setup.

What Happens When Caching is Disabled?

• Increased Logon Time: Users may experience slightly longer logon times as the system needs to re-authenticate each time.
• More Network Traffic: Kerberos or NTLM authentication requires more network communication.
• No Plain Text Password Storage: The primary benefit is that passwords are not stored in a readily cacheable format, reducing the risk of compromise if the cache is accessed.