Re: NT4 password limited to 14 characters ?

Hello,

thank you for your answer.

I have already tried to change the LMCompatibiltyLevel to 4 (refuse LM) and 5 (refuse LM and NTLM) but with no success.

There is a GUI limitation on USRMGR that will not show me more than 14 characters.
So I tried to change the password through net users, dameware nt utilities or through a 2k client member of the domain but with no success.(System error 2245)

It's quite annoying for us because we have a password synchronization process from AD to NT and because of this limitation users can't define a long password in Active Directory too.

Thank you for your help


Hello Pascal,

The answer lies in how Windows hashes and stores the passwords. There
are three mechanisms: LM (MD4), NTLM hash (MD4), and NTLMv2 (MD5).

LM has a maximum length of 14 characters. It breaks the password up
into two 7 character strings, makes both strings uppercase, and then
hashes the strings. Because of the length and because of the case
insensitivity, LM is very easy to break with brute force tools.

NTLM also has a maximum length of 14 characters. It hashes the
password as one 14 character chunk and does not change the characters
to uppercase. It is a little better than LM.

NTLMv2 has a maximum length of 127 Unicode characters or 254 Ascii
characters. Most systems use Unicode to support international
character sets, and thus 127 is the number you will see most often.

Windows NT4 will use either NTLM or NTLMv2. If at all possible in your
environment, set it to only use NTLMv2 (see 147706). Using "Net User"
may still default to 14 characters because the utility may not
recognize the change. Usrmgr should be fine, however.

Hope that helps,

J Wolfgang Goerlich


Microsoft Article 147706, How to disable LM authentication on Windows
NT
http://support.microsoft.com/kb/147706

On Jul 16, 5:24 am, Pascal <pasca...@xxxxxxxxxxxxxxxxxx> wrote:

--
Pascal


.

Relevant Pages

  • RE: XP password and encryption
    ... :> increases the encryption in a non-linear way... ... This depends on the type of passphrase you use. ... it does not matter how many characters you use it is going to be trivial ... So you can not disable NTLM in this case you most suggest using ...
    (Security-Basics)
  • NTLM v2 implementation
    ... This is a follow up of an ongoing thread but I made it a new thread as the ... After working with pwdump and L0phtcrack, i would like to implement NTLM v2 ... others people no matter how long, how many special characters you use, how ... Q147706 - How to Disable LM Authentication on Windows NT ...
    (Focus-Microsoft)
  • Re: Invalid characters for WTSQuerySessionInformation?
    ... Characters that allows for ambiguity between the `NTLM` fully ... There are a few other restrictions for the last 2 characters of a NTLM name, ... We have been told that in some foreign versions of Windows XP, the Unicode ... WTSQuerySessionInformationW can't deal with. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: NT4 password limited to 14 characters ?
    ... | I have already tried to change the LMCompatibiltyLevel to 4 (refuse LM) ... |> LM has a maximum length of 14 characters. ... |> into two 7 character strings, makes both strings uppercase, and then ... |> NTLM also has a maximum length of 14 characters. ...
    (microsoft.public.windows.server.security)
  • Re: Password statistics and standards
    ... Rainbow tables have been generated for 14-character NTLM passwords. ... If you're referring to NTLM, over 14 characters is pointless, because the algorithm truncates your password at 14 characters anyway. ... Precomputing tables for 14+ character passwords is time- and space-prohibitive, ...
    (Security-Basics)