Why should I use passwords that are greater than 14 characters?

It seems as though every website and application we use nowadays has a different password policy from one program to the next. Have you ever wondered why some applications require your password to be 8 characters, while other applications require a minimum of 15? From the naked eye, it makes no sense! What makes an 8 character password secure for some companies, while other companies mandate a much longer password?


The short answer for why Windows passwords of certain character lengths are safer than others is due to how they are hashed. Hashed refers to the way a password is stored.

The first way passwords are hashed is through the LAN Manager hash (LM hash). The LM hash stores passwords that are 14 characters or less. Once a password is selected by a user, the password must meet a 14 character criteria to be hashed. If the password does not equal 14 characters, null characters are used as place holders. In the example below, ‘X’ is the null character.

3-7-2016 5-53-28 PM

Once there are 14 characters in place, the password is converted to all uppercase letters. Once converted, the password is broken into half to be hashed. There will be a total of 2, 7 byte keys. Each key is used to encrypt a fixed string.

3-7-2016 5-44-03 PM

Then, using DES encryption, the passwords is stored on the computer. Converting a password to all uppercase letters and allowing null characters significantly reduces password entropy. (Read more about password entropy here). In turn, LM hash passwords are much more susceptible to brute force attacks due to the weak hashing method.

Passwords that are greater than 14 characters must be hashed using the NT hash. Using the NT hash, the password is stored using the Message Digest Algorithm (MD4 Algorithm) on the SAM database.

Using a tool from Practical Cryptology, we can see exactly how the MD4 algorithm works. In the example above with the LM hash, Password is stored as ‘PASSWOR’ and ‘DXXXXXX.’ Now, with the more advanced MD4 algorithm, the same exact password is stored as ‘f15abd57801840f3348ddccafb677f6a.’

3-7-2016 6-50-45 PM

As seen from the examples above, passwords greater than 14 characters can only be stored using the NT hashing method because they exceed the 14 character space layout.¬†However, passwords that are 14 characters or less are stored using both the LM hash and NT hash. The presence of the LM hash makes it much easier for hackers to crack. I am sure we can all agree that the NT hash is much more secure than the LM hash. Use this as a reminder to start using passwords that are greater than 14 characters; this way, you’ll be less likely to have your password breached in an attack.

Twitter Digg Delicious Stumbleupon Technorati Facebook Email

Comments are closed.