Glossary

Pass-the-Hash

An attack technique that uses a user's password hash (without knowing the plaintext) to authenticate on other services. Pass-the-hash is possible when systems accept the NTLM hash as proof of authentication. It is a major vector for lateral movement in Windows enterprise networks.

How the attack works

Pass-the-hash exploits a characteristic of NTLM authentication in Windows environments: the protocol proves knowledge of the password's hash, not the password itself. An attacker who obtains an account's NTLM hash (from an LSASS memory dump, a SAM database, or a poorly protected share) can authenticate to other machines without ever cracking the password. It is a pillar of lateral movement: compromise one workstation, harvest hashes, pivot to servers.

Why it matters even for a SaaS vendor

Your product may run 100% in the cloud, but your company has workstations, a directory, sometimes a VPN and internal servers. SaaS vendor compromises often start on a developer's or administrator's machine: once inside the internal network, techniques like pass-the-hash reach the secrets that unlock production — cloud keys, code repositories, CI/CD pipelines. Product security and corporate environment security are inseparable, and your clients know it: security questionnaires cover both.

Defending against it

Effective measures: disable NTLM where possible in favor of Kerberos, enable Credential Guard on Windows endpoints, ban local administrator password reuse (LAPS), segment the network, and enforce least privilege on high-value accounts. On the detection side: monitor anomalous NTLM authentications and LSASS access.

Frequently asked questions

Does pass-the-hash still work in 2026?

Yes, in many Windows environments where NTLM remains enabled for compatibility. Modern protections (Credential Guard, NTLM restrictions, LAPS) make it harder, but internal audits show legacy configurations remain widespread, especially in SMEs.

What is the difference with pass-the-ticket?

Pass-the-hash reuses an NTLM hash; pass-the-ticket reuses a stolen Kerberos ticket (TGT or service ticket). Both aim for the same goal — authenticating without knowing the password — but exploit different protocols.

How does this concern my SaaS security?

Because the attack chain toward a SaaS often goes through the vendor's internal environment: compromised developer workstation, lateral movement, theft of production access secrets. Protecting internal infrastructure is part of the overall security posture your clients evaluate.

Related Pages

Other Terms

Need an external review of your HR SaaS?

Share your product, stack, and client context. We will come back with the right review scope.

Discuss your audit