<< Click to Display Table of Contents >> Navigation:  System and Data Recovery Programs > Proactive Password Auditor > How to work with the program > About Windows passwords

Instead of storing the user account password in clear text, Windows generates and stores one of the two different password representations, generally known as "hashes." When you set or change the password for a user account to a password that contains fewer than 15 characters, Windows generates both a LAN Manager (LM) and a Windows NT (NTLM) hashes of the password. These hashes are stored in the local Security Accounts Manager (SAM) database or in Active Directory.

 

The NTLM hash is actually an MD4 hash of the original password (in UNICODE), 16 bytes long. In theory, the password length is limited to 128 chars.

 

The LM hash is relatively weak compared to the NTLM hash, but it is needed for backward compatibility with Windows 9x clients, and used, typically, to authorize remote connection to a given machine. To generate an LM hash, the system converts the password from UNICODE to ANSI (one byte per character), and translates all characters into uppercase. After that, the password is divided to two chunks (7 characters each, padded with zeros if needed). Each part is used as a DES encryption key, to encrypt the pre-defined constant, and the results of encryption are stored in the system (merged into a single 16-byte value). So, if a system uses LM authentication (and so LM hashes are available), the real password complexity is only 7 characters, and a 14-character password is not much stronger than that of 7 characters.