Sunday, 18 July 2010

How to prevent Windows Server from storing weak LM hashes

How to prevent Windows Server from storing a LAN manager hash of your password.

Instead of storing your user account password in clear-text, Windows generates and stores user account passwords by using two different password representations, generally known as "hashes." When you set or change the password for a user account to a password that contains fewer than 15 characters, Windows generates both a LAN Manager hash (LM hash) and a Windows NT hash (NT hash) of the password. These hashes are stored in the local Security Accounts Manager (SAM) database or in Active Directory.

The LM hash is relatively weak compared to the NT hash, and it is therefore prone to fast brute force attack. Therefore, you may want to prevent Windows from storing an LM hash of your password. The Microsoft support article describes how to do this so that Windows only stores the stronger NT hash of your password.

Categories: How-To, Microsoft, OS
Tags: Microsoft, Server, 2000, 2003, weak, password, authentication, NT hash, SAM

No comments: