[squid-users] NTLM Authentication Failing

Amos Jeffries squid3 at treenet.co.nz
Thu Oct 22 09:31:22 UTC 2015

On 22/10/2015 10:33 a.m., Alex Samad wrote:
> Would it be fair to say best practice  is to get kerbose working in favour
> of ntlm ?

Best Practice is not to have NTLM at all. In the same way that its best
practice not to use 8-bit (1 letter) passwords.

NTLM was formally deprecated in 2006 by MS. Kerberos was added in 1998.
You should not be using NTLM at all by now unless you are running
software that has not been updated since before 2001 and still requires
NTLM as its only possible authentication scheme.

I'm really not joking when I write that Basic auth is more secure than
NTLM. The simple fact that everyone is aware of the weakness in Basic
auth credentials means a lot of extra protection has gone into keeping
them secure and safe. NTLM can trivially be auto-downgraded to LanMan
which is just as insecure - but still treated widely as if it were a
magically "secure and unbreakable" auth even though its crypto was
obsolete almost 20 years ago.


More information about the squid-users mailing list