Warning: Creating default object from empty value in /nfs/c09/h03/mnt/132495/domains/blog.nfrontsecurity.com/html/wp-content/themes/headlines/functions/admin-hooks.php on line 160

How To Turn Off LM Hash And Only Use NT Hash

You might be wondering how to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases. The LM hash is the Windows Active Directory default option for storing passwords that are 14 characters or less. This method is unsafe and should be turned off.

When a user selects a password, the password must meet a 14 character criteria to be hashed with the LM hash method. If the password does not equal 14 characters, null characters are used as placeholders. Once there are 14 characters in place, the password is converted to all uppercase letters. Once converted, the password is broken into half to be hashed. There will be a total of 2, 7-byte keys. Each key is used to encrypt a fixed string. Then, using DES encryption, the passwords is stored on the computer. Converting a password to all uppercase letters and allowing null characters significantly reduces password entropy (read more about entropy here). In turn, LM hash passwords are much more susceptible to brute force attacks due to the weak hashing method.

The alternative to the LM hash is the NT hash. Passwords that are greater than 14 characters must be hashed using the NT hash because they exceed the 14 character space layout. However, passwords that are 14 characters or less are stored using both the LM hash and NT hash. Using the NT hash, the password is stored using the Message Digest Algorithm (MD4 Algorithm) on the SAM database.

With that being said, it is imperative that your password policy is forcing a 15 character minimum for passwords. With a minimum of 15 characters, passwords will not be stored using the LM hashing method. This is the simplest way to turn off the LM hash, and also the most secure way. If you are not requiring passwords to be 15 characters or more, it is important for you to turn off the LM hashing method to ensure that only the NT hashing method is being used.

Implement the NoLMHash Policy by Using Group Policy (from Microsoft’s website).

To disable the storage of LM hashes of a user’s passwords in the local computer’s SAM database by using Local Group Policy (Windows XP or Windows Server 2003) or in a Windows Server 2003 Active Directory environment by using Group Policy in Active Directory (Windows Server 2003), follow these steps:

1. In Group Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.

2. In the list of available policies, double-click Network security: Do not store LAN Manager hash value on next password change.

3. Click Enabled, and then click OK.

On a final note, even if you disable the LM Hash and only have passwords stored using the NT Hash method, you actually have more security problems than you realize. Professional hackers use many different methods for hacking. One of those is rainbow tables (read more about rainbow tables here). Rainbow tables can crack any Windows password that is 14 characters or less within 28 minutes at a 99.9% accuracy. That should alarm you if your company does not have a secure password policy in place.

Twitter Digg Delicious Stumbleupon Technorati Facebook Email

Comments are closed.