tech

December 16, 2025

Microsoft will finally kill obsolete cipher that has wreaked decades of havoc

The weak RC4 for administrative authentication has been a hacker holy grail for decades.

Microsoft will finally kill obsolete cipher that has wreaked decades of havoc

TL;DR

  • Microsoft is deprecating the RC4 encryption cipher due to its obsolescence and vulnerability.
  • RC4 has been a default in Windows for 26 years and was a means of securing Active Directory.
  • The cipher was known to be weak shortly after its leak in 1994, yet remained in use.
  • RC4 has been exploited in major cyberattacks, including a breach at Ascension that impacted hospital operations and patient data.
  • US Senator Ron Wyden criticized Microsoft for "gross cybersecurity negligence" over continued RC4 support.
  • By mid-2026, Windows Server defaults for Kerberos Key Distribution Center (KDC) will switch to AES-SHA1, disabling RC4 by default.
  • Administrators must explicitly configure accounts or KDCs to use RC4 after the change.
  • Microsoft is providing tools, such as updated KDC logs and PowerShell scripts, to help administrators identify systems still using RC4.
  • AES-SHA1 is considered more secure, requiring significantly more time and resources to crack compared to RC4-based authentication.

Continue reading
the original article

Made withNostr