NT stores two types of passwords, a LAN Manager (LM) password (less secure) and a Windows NT password (more secure). A Windows NT server (domain controller) gives out an 8-byte challenge and the client (server or workstation) replies with a 24-byte challenge response. These hashes are transmitted in the clear. If the domain controller authenticates the challenge response, it replies with an NT session key and a LAN Manager (LM) session key. These session keys are encrypted between the client and the Domain Controller.
The LAN Manager password is compatible with passwords used by the LAN manager. It is based on the OEM character set, is not case sensitive, and can be up to 14 chars long. The NT password is based on the Unicode character set, is case sensitive, and can be up to 128 chars long.
Each password is encrypted twice in two forms in the SAM database. The first encryption is a one-way function (OWF) version of the clear text password. This password is then encrypted by DES to make it even more obscure. The Windows NT Security Account Manager (SAM) database stores the hashed password for each user account into two forms. One form is an "NT hash" form that is used to authenticate users on Windows NT clients, and the other is an "LM hash" form that is used to authenticate users on Windows 95, Windows 98, DOS, 3.1, Windows for Workgroups, OS/2, and Macintosh.
The Windows NT hash specification says you can have up to 128 char passwords. However, you can only type in 14 chars into User Manager. If you try to put in more than 14 chars in the "Minimum Password Length" section of the Account Policy, you may not be able to log in again. There is a 16-byte LM hash and a 16-byte NT hash. You only have to go through 7 chars to retrieve passwords up to 14 chars in length in the LM hash. There is no salting done.
The first 8 bytes of the LM hash are derived from the first 7 chars of the password. The second 8 bytes are derived from the 8th through 14th chars. If the password is 7 chars or less, the 2nd half will always by a constant.
This means that a password of 7 chars may be more secure than a password with 8, 9, or 10 chars. If a password has 10 chars, it is split up into a password hash of 7 chars and another password hash of 3 chars. The password hash of 3 chars can be easily cracked with password crackers such as l0phtcrack or Password Appraiser. For example, if the second half of the password (the last 3 chars of a 10-character password) is cracked and ends in 789, then it is a safe assumption that the previous password chars may be 123456.
For an 8-character password, you will always have password cracker programs find that 8th character when the LM password is used. The 7 byte strings are then converted to an 8-byte odd parity DES key. DESkey1 is used to encrypt the 16-bit challenge key. DESkey2 is then used to encrypt the challenge key. And DESkey3 is used to encrypt the challenge key. The hash is encrypted with DES by using the computer's Relative ID (RID) as the crypt key. This is the so-called "obfuscation" step.
The three 8-byte values are then concatenated, and the 24-byte response is returned to the server. The server does the same thing to the hash on its end and compares the result to the 24-byte response. If they match, it was a correct original hash. The challenge response can be brute-forced for the LM-hash.
The number of possible combinations in the LM password is relatively low compared to the Windows NT password. It is also easier to see if it's shorter than 8 chars or not. The user name and the corresponding one way hashes are stored in the password database, which is part of the SAM. The SAM database can also be duplicated in the /repair directory.
The LM password can be disabled through the registry by setting the LM compatibility level, so that only the more secure Windows NT password is used. However, Windows NT will not be able to communicate with Windows 95/98 or other machines other than Windows NT. If you are in an all-Windows NT environment, then setting the LM compatibility level is the right thing to do.
The Password Restrictions section of the Account Policy (Start | Programs | Administrative Tools | User Manager | Policies | Account) is where you set password policies. The Minimum Password Length section is set to "Permit Blank Password" when Windows NT is first installed. This should never be used in a secure environment.
This option should be set to at least 7 chars. The most secure setting would be 14 chars, but this number may be hard to remember and users would start writing down their passwords and making it visible near their computer.
Another good account policy is to enable account lockout. No lockout to failed login attempts makes the Windows NT host vulnerable to password guessing. Set the lockout to lockout after 3 bad logon attempts, reset after 30 minutes, and set the lockout duration to "Forever (until admin unlocks)."
Another thing to watch out for is automatic logon. Automatic logon could undermine security since any attacker could access your computer with the default password stored in the registry. Automatic logon should be disabled and passwords should not be stored in plain text anywhere on your computer.
STAT-NT by Harris performs many password vulnerability checks. It includes a fast password checker, which looks for common dictionary words and user names used as passwords. It checks your account policy and examines the password restrictions. It checks for all relevant registry settings dealing with better password security and Auto- Fixes these vulnerabilities when selected by a user with administrative privileges. More info: http://www.sunbelt-software.com/stat.htm