One often-overlooked security risk in Active Directory (AD) is the setting AllowReversiblePasswordEncryption. When enabled on a user account, AD stores the password not only as a hash but also in a form that can be reversed back into plain text. While this was once necessary for certain legacy protocols, today it represents a serious security vulnerability.
Why is AllowReversiblePasswordEncryption Dangerous?
If an attacker gains access to the AD database (for example, through an ntds.dit dump), they can directly recover passwords in plain text.
The consequences are severe:
-
No need for time-consuming hash cracking
-
Immediate lateral movement across the network
-
Higher risk of full domain compromise
In modern environments, there is virtually no legitimate reason to keep this flag enabled.
How to Check for Risky Accounts with PowerShell
Fortunately, it’s easy to check if any accounts in your AD are affected. You can use the following PowerShell command, which is read-only and safe to run:
-
Empty output → no accounts are configured with reversible password encryption.
-
Results returned → these accounts should be reviewed and remediated immediately.
Conclusion: Small Misconfiguration, Big Risk
The AllowReversiblePasswordEncryption option may seem harmless, but in reality it’s a silent and significant security risk.
A single PowerShell query is all it takes to identify vulnerable accounts.
Best practice: Audit your AD environment regularly and ensure that this setting is not enabled anywhere.
