In Windows operating system, every user has a password. The password is a security measure used to restrict logon names to user accounts and access to computer systems and resources. A password is a string of characters that must be provided before a logon name or an access is authorized. A password can be made up of letters, numbers, and symbols; passwords can also be blank. Microsoft recommends that you require the use of complex passwords to help ensure that passwords provide the best security possible. These complex passwords are much more resistant to attack than blank or simple passwords.

Instead of storing the user account password in clear-text, Windows generates and stores user account passwords by using two different password representations, generally known as "hashes." When you set or change the password for a user account to a password that contains fewer than 15 characters, Windows generates both a LAN Manager hash (LM hash) and a Windows NT hash (NTLM hash) of the password. These hashes are stored in the local Security Accounts Manager (SAM) database or in Active Directory.

The NTLM hash is actually an MD4 hash of the original password (in UNICODE), 16 bytes long. In theory, the password length is limited to 128 chars.

The LM hash is relatively weak compared to the NTLM hash, but it is needed for backward compatibility with Windows 9x clients, and used, typically, to authorize remote connection to a given machine. To generate the LM hash, the system converts the password from UNICODE to ANSI (one byte per character), and translates all characters into uppercase. After that, the password is divided to two chunks (7 chars each, padded with zeros if needed). Each part is used as a DES encryption key, to encrypt the pre-defined constant, and the results of encryption are stored in the system (merged into a single 16-byte value). So, if your system uses LM authentication (and so LM hashes are available), the real  password length (complexity) is just 7 characters, and the 14-character password is not much stronger than one of 7 characters.

Get more information about Proactive Password Auditor
Get full version of Proactive Password Auditor

(c) 2009 ElcomSoft Co.Ltd.