WinSecWiki > Security Settings > Local Policies > Security Options > Network Security > Do not store LAN Manager hash value on next password change
Network security: Do not store LAN Manager hash value on next password change
Windows does not store your actual password with your account; when you select a new password, Windows computes a hash of the password and stores that with your account in the local SAM or Active Directory depending on the type of account. In fact, by default Windows computes 2 hashes: one is called an NT or Unicode hash and the other is called the LM (LanManager) hash.
The NT hash is an MD4 hash of the plaintext password. It supports all Unicode characters and passwords can be up to 256 characters long.
The LM hash isn’t really a hash but a weird use of encryption. The LM password can’t exceed 14 characters and if it exceeds 7 characters, LM actually builds 2 independent hashes of the first 7 characters and then the 2nd 7 characters. LM also converts lower case letters to upper case before hashing. These 2 short cuts weren’t a big deal 20 years ago but they are now. An old hacking group called the L0pht released a tool called L0phtcrack which quickly cracked the LM hash and then used that information to quickly figure out any lower case letters to ultimate crack the NT hash; you were only as strong as the weakest link in the chain.
Excellent sources for more information on NTLM: http://davenport.sourceforge.net/ntlm.html by Eric Glass and http://www.microsoft.com/technet/technetmag/issues/2006/08/SecurityWatch/ by Jesper Johansson.
Windows uses the LM hash to support logons from pre-NT computers and certain non Windows programs like Macintosh Outlook 2001. Unless you have pre-NT systems like Windows 95 you can enable this setting to prevent the generation and storage of LM hashes.
I recommend enabling this setting since the LM hash is very weak by today’s standards and is very quickly cracked by password cracking tools. When you enable this setting Windows will not immediately delete the existing LM hash on each account; instead Windows will remove the LM hash from each account the next time the account’s password is changed. To immediately get rid of LM hashes you’d need to force each user to change their password at next logon.
Note that regardless of this setting Windows does not store an LM hash for passwords that are 15 or more characters long because the LM hash algorithm is limited to 14 characters.
To stop Active Directory from storing LM hashes for domain accounts you must enable this setting on each domain controller such as by using the Default Domain Controllers group policy object. Enabling this setting on a workstation or member server only affects the local SAM accounts on that computer.
Bottom line
Enable this setting unless you must support logons from pre-Windows NT systems. Even with those systems you may be able to eliminate the LM hash by installing the Directory Services client with gives Windows 95, et al support for the NT hash.
Back to top