samuong
commented
2 years ago According to https://en.wikipedia.org/wiki/NT_LAN_Manager#Protocol:
NTLMv2 uses the NT MD4 based one-way function (NTOWF)
Alpaca uses https://github.com/Azure/go-ntlmssp, which only supports NTLMv2 (and not v1). Unfortunately this still requires an MD4-hashed password.
Short of removing NTLM support, I don't think there's much we can do here.
I'm going to close this issue, but feel free to reopen if I've missed something.
/projects/alpaca/authenticator.go:30:2 package golang.org/x/crypto/md4 is deprecated: MD4 is cryptographically broken and should should only be used where compatibility with legacy systems, not security, is the goal. Instead, use a secure hash like SHA-256 (from crypto/sha256). (SA1019)
Is it too soon to depreciate NTLMv1 support?