Is PPTP EAP-MSCHAP v2 (128) considered safe and secure for VPN ?
-
Hi,
I know most of you are using IKEv2, or something more future proof, but whats yours thoughts on
PPTP EAP-MSCHAP v2 max encryption which is 128 bits, did it ever get hacked ?
And it does rely on the Windows Users credentials, thus if I made standard user called VPN and made very long complex password for him, like 128 characters, will that help and increase the security of remote connections ?
Thanks.
-
Bringing back memories at my last job from 2008
security bulletin ms chap v2
https://technet.microsoft.com/en-us/library/security/2743314.aspxhttps://support.microsoft.com/en-us/help/2744850/implementing-peap-ms-chap-v2-authentication-for-microsoft-pptp-vpns
If youre using PEAP MS CHAP v2 you should be ok.
Though theres no security bulletins, it might be because nobody uses this anymore and therefore nobody is looking to exploit it. -
PPTP is considered deprecated and not safe by the industry. Not aware of it having been hacked in this form, but it's not been considered viable for business use for over a decade.
-
PPTP is a very weak tunneling protocol, even if you use EAP-MSCHAP v2 as the authentication protocol.
I would not use it.
The best practice is to use IKEv2 as the main connection, with SSTP as a backup.
If you cannot do that due to environment limitations, then L2TP + PSK or IPSEC.
-
@msff-amman-Itofficer said in Is PPTP EAP-MSCHAP v2 (128) considered safe and secure for VPN ?:
And it does rely on the Windows Users credentials, thus if I made standard user called VPN and made very long complex password for him, like 128 characters, will that help and increase the security of remote connections ?
PPTP isn't encrypted by the authentication it uses. PPTP is still encrypted with 128-bit, which is not secure, then can be intercepted and modified before reaching its destination.
IPSEC and ikev2 and SSTP does not allow that to happen.
-
High quality, secure VPN options are available for free, like IPSEC and OpenVPN. There should be no need for PPTP.
-
PPTP is like an invitation for unwanted guests. You just don't want to use it.
Use something like OpenVPN/SSTP (SSL based, single UDP/TCP port) or IPSec. There's even a non-Microsoft open source server available for SSTP (and many other protocols) at https://github.com/SoftEtherVPN/SoftEtherVPN/.
