[Kenji]

tl;dr: Simply accessing a website with Edge leaks the user name and password hash to the attacker site. They mention that this is also default behaviour in Spartan, Internet Explorer, Outlook (though I do not know how effectively it can be delivered to something like Outlook).

Works on up to date Windows 10 and Edge (there is an online test if you're vulnerable). If you don't use the listed software, you're probably completely safe (maybe there is other Microsoft software that does this, though?). If you don't use your Microsoft Live Account as a Windows account, you're safe (someone then just finds out the hash of your local password).

EDIT: Interestingly, Edge on the Xbox One is not vulnerable. It seems like the behaviour on the console is different.

[deviate_X]

I'd be interested to know, how easy is it to actually break the hash of the password-code

[voltagex_]

https://hashcat.net/hashcat/ should do it, although NTLMv2 isn't explicitly mentioned.

If your password is common (see something like https://github.com/danielmiessler/SecLists/tree/master/Passw...) or <10 ASCII characters, it shouldn't take too long.

[zaroth]

When it's NTLM, extremely easy. I know NTLMv1 cracks at around 25 billion attempts per second on a high-end GPU, which is MD4 based. NTMLv2 is MD5 based with a longer key, so it's slower, I'm not sure how much slower, but I'll guess 1 order of magnitude. Still, far too fast for a password hash.

[1] - http://thepasswordproject.com/oclhashcat_benchmarking

[pdkl95]

Given that far too many passwords can be found with a dictionary attack, it probably only takes seconds for an attacker with "several modern video cards"[1] of hashing power.

[1] https://www.youtube.com/watch?v=7U-RbOKanYs

[marcosdumay]

Why would you need to? The hash is enough to give you access to any NTLM service.

[dagaci]

What NTLM service would you be able to access for example?

[marcosdumay]

Wait, what?

NTLM is a generic authentication layer. You use it to get single sign-on for your web APIs.

[cocotino]

Password hash? Do they mean an auth token?

[dalbin]

No I think they mean the NTLMv2 hash of the password.