How does ERPM protect against pass the hash attacks?
When a random password is generated by our product, a FIPS 140-2 certified PRNG chooses from among 94 possible characters for each character position. The used APIs and other protocols used will protect the password while in transit. Once a password is generated that meets the constraints of the password policy (length, excluded characters, required characters, etc.), the password is then set on the target system.
Once the password is successfully set on the target system, the password is then encrypted using the FIPS certified AES 256bit algorithm and that encrypted value is written to our product’s data store. This process is then repeated for each and every system/account.
At 15 characters, there are 94^15 or over 395 octillion (395,000,000,000,000,000,000,000,000,000) possible password combinations; we can set passwords up to 127 characters. Because each password is generated for each account on each host at run time, it is statistically improbable that any two accounts would ever have the same password. Because each account on each system would have a completely unique password, perpetrating pass-the hash-attacks becomes a non-issue for managed accounts.
Moreover, should you desire, you may also implement (at the system/network level) IPSec with Authentication Headers (AH) and/or Encapsulating Secure Payload (ESP) to further protect all network traffic and add additional protection against man in the middle type attacks.