NT's Poor Password Encryption

Windows NT and 2000 Storage of LANMAN Password Hashes Assure That Normal NT and 2000 Passwords Can Be Cracked

Major changes are coming to this page in February or March, 2014. The story of how Microsoft has refused to update a seriously flawed password storage for more than 20 years. This is not about the problems of the Lan Man hash which have been well known for many years and are discussed below. This is about the problems of NT password storage, which has not been updated since Windows NT was released in mid 1993, and is still used on all current Windows systems except domain controllers and those using Active Directory and Kerberos.

• Current Windows Password Issues
• The items below are not relevant to Vista or newer Windows systems.
• LANMAN Password Hash Storage
• LC5 Password Cracker
• Making the Strongest NT and 2000 Passwords
• User Passwords
• 7 / 14 Character Password Confusion

Current Windows Password Issues

By discontinuing LM or LANMAN hash storage as a defualt method in Vista, Microsoft got rid of its biggest password weakness. Users of Vista and later Windows products should be aware that LM hash storage can still be enabled with a registry change. On the other hand, Microsoft has refused to acknowledge or deal with Windows other major password weakness. This has to do with how the hashes are created. A hash is the one way mathmatical transformation of a plain text password into a giberish string which is how the password is stored on the system. Each time you log in, the same process is repeated, and if the resulting hash matches the stored hash, you have enterd the right password and the system let's you on.

The problem Microsoft has not dealt with is that all Windows systems turn the same password into the same hash. It is possible that different Windows versions create different hashes from each unique plain text password; it is my understanding this is not the case. I believe that all Windows 2000 and later systems, with LM hashes disabled, create the same hash from each unique plain text password. There are publicly available databases of cracked passwords. Most passwords don't even need to be cracked, they can simply be looked up. Given the statistics on how many people use bad passwords I'd guess something between 70 and 95% of all Windows passwords in use are already known. It's estimatted that 20% of users use one of the 25 most common passwords. According to Mark Burnett 40% of users use one of the top 100 passwords and 79% use one of the the top 500 passwords. This means for the large majority of Windows systems, any hacker who can gain access to your system probably already knows your password, assuming you even use one.

Maybe that last sentence sounded a little strange. How do hackers get on your system without knowing your password. That's way to big and complicated a topic to even try to deal with here, but the short answer is bugs or security flaws. Compromized passwords remain one of the most common ways to illicitly access systems. The number is in the mid 20% range. That means the large majority of breakins are via means other than compromized passwords. Once a cracker gets on a system he will almost surely attempt to take the password file. That gives him the names of all the accounts on the system. Depending on the system and the hackers background he is likely to look up or attepmt to crack all the passwords in the stolen password file. This significantly increases his chances of long term access to the hacked system if the way he got on in the first place is closed, perhaps by the application of a security patch or system update.

Unix is very different. There are many varieties of Unix, and here I'm including Linux, FreeBSD, OpenBSD and the other open source Unix like systems as Unix variants. These systems use a variety of different hashing algorithms but there is one thing they all have in common. They all use salts. This means that each plain text password, has at least 2048 different hashes. Modern systems tend to have several times this number. If I had a bad password, and the person working near me just happened to have the same bad password, there is almost no chance the hashes would look in any way similar on any Unix system, and they would look even more different on different Unix systems.

Further, many Unix systems give their adminitrators the choice of more than one hashing algorithm. At least one, OpenBSD not only gives the admistrators a choice of algorithms, but lets them set a different loop count for everyone than the default, and different loop counts for different classes of users. By increasing the loop count, administrators may have entirely different, and much stronger hashes than other users. Nearly all hashing algorithms are run several times. Every variation in the number of loops results in a completely different set of hashes. Each additional loop also makes the passwords stronger because a cracker must configure his cracking tool to use the correct number of loops on each password. Using the wrong number of loops or wrong hashing algorithm ensures none of the attacked passwords will be cracked.

Also the newer stronger hashing algorithms don't or should not have faster counterparts that can be used for cracking. If an administrator is willing to add enough loops that his login is delayed by a half second or even a second, that ensures his password will be MUCH harder to crack. My last cracking table suggest 25 million cracks per second on a fast desktop. With most modern hashing algorithms, a cracker has to use the same process as is used when a password hash is saved, or when a login password is hashed for comparison. If it takes a second to log in, nearly all of this is the hashing process. That means the cracker will also have to spend nearly a second for each attempted password. By increasing the hashing loop count for root (the name of Unix admins) the cracks per second can be reduced to 1, so the root password on such a Unix system is roughly 25 million times stronger than most passwords in use today (Windows passwords).

I'm on a very common Linux system that uses Blowfish as the default hashing algorithm. Blowfish is widely regarded as the best of the password hashing algorithms. I tried a couple well known password hash database sites. Neither of them lists Blowfish. Neither of them recognized my password hash as a hash let alone had a password to go with it. It's not a great password but it's not vulnerable to any dictionary or any of the standard attacks. It should take about 4 centuries to crack it with brute force, but if a supercomputer or network of computers was available to crack it would go a lot faster.

Returning to Windows, anyone who can point me to any authorotative statements by Microsoft on what they have done in the past decade or so to strengthen there password security, would be much appreciated. If there is nothing from Microsoft, anyone who has the appropriate background and has studied the changes Microsoft has made would be quite helpful. I'd like to update these pages, but only if my basic concerns have been addressed. I'm no fan of Microsoft, but I don't like criticizing obsolete systems when I have doubts that the problems still exisist.

If all backwards compatibility is history, at least you can make strong passwords on Windows now, which really was not possible in the past with default system settings. But if you really want secure passwords you are going to have to do things differently. The truth is that you need 15 character or longer passwords that neither you nor anyone else has ever seen before. You could use my password generator (it was the most flexible and configurable generator on the Internet, that I knew of). In the future I hope to add new options appropriate for long passwords. Mark Burnett has created a very flexible, and more user friendly password generator called Pawfert.

You could also spend a lot of time reading my often technical section on Good and Bad Passwords of which this page is a part. For most of you though, unless you really want to understand the technical details of what make strong and weak passwords, I'm going to suggest you read this page by Mark Burnett. This page discusses many of the important password issues in a much more user friendly way than I do. I'd skip the last section, "How I Collect Passwords" and any other section that does not seem useful. After you read most of the page, you should have a good feel why longer passwords are so important, and some ideas about how you might make ones you can remember and type. He has me wondering if there may not be better ways to make paswords than I've been using. The way he writes is very readable and often entertaining.

LANMAN Password Hash Storage

If you have Windows Vista or any newer Windows the rest of this page has no relevance to you unless someone has deliberately enabled LANMAN hashing via the registry on your system. If you have Windows 2000 SP2 or a newer Windows prior to Vista you can fix the problems described below by following one of the procedures descirbed on this Microsoft Support page to disable LM hashes. If you still have a system older than Windows 2000 SP2, then you are stuck with the problem described below.

Because Windows NT maintains backward compatibility with Windows 95 and 98 and the LANMAN authentication they support, Windows NT passwords are particularly easy to crack. A LANMAN password is upper cased, padded to 14 characters, divided into two seven character parts, each of which is used as a key to encrypt a constant. The two hashed results are concatenated and stored as the LANMAN hash which is stored along with the NT hash in the SAM part of the registry.

Two seven character pieces are much easier to break than a single 14 character sequence. Just how much easier depends on the character set but is at least 7 and more likely 9 or 10 orders of magnitude. Also, all LANMAN passwords are treated as all upper case so that if a mixed case password is used, all lower case letters are uppercased before the encryption is done. This removes 26 characters that could have been used, also greatly simplifying cracking but how much depends on how many characters are in the password. 8 character LANMAN passwords are about 890 times easier to crack than their NT counterparts should be and 14 character LANMAN passwords are about 450 trillion (15 decimal places) times easier to crack than their NT counterparts should be.

Unfortunately, getting the LANMAN password pretty much gives the NT password also. After the LANMAN password is cracked, 2 to the nth power where n is the length of the password, gives the maximum number of case variations that must be tried to get the NT password. On contemporary hardware, this will probably take less than a second.

NT has a registry setting to disable the use of LANMAN authentication. This merely prevents clients using LANMAN authentication from logging in; it does not clear the LANMAN hashes from the SAM. It doesn't even prevent new LANMAN hashes from being created and stored after the setting has been changed. NT and 2000 password storage is a bad security joke. It is essential that Windows NT and 2000 password hashes be kept out of the wrong hands.

It's not clear how significant the changes to Windows 2000 are. If Active Directory is enabled, then the password hashes are stored there instead of the SAM. This will change the mechanics of obtaining the password hashes. What is clear, is that as long as LANMAN hashes are stored with their Windows NT and 2000 conterparts, the essentials of cracking Windows 2000 passwords will remain the same as cracking NT passwords. Simply disabling LANMAN authentication on Windows 2000 will not clear the LANMAN hashes. Windows 2000 has not adopted anything like the salt idea.

In the summer of 2001, Microsoft finally provided a method to actually clear the LANMAN hashes for Windows 2000 and XP but not NT. See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q299656 for details. After the described registry changes are made, passwords must be changed, so that the new password will not be stored with the LANMAN hash. Authentication by Windows 95 and 98 clients will be affected; see the article for details.

One of the most common recommendations regarding passwords does not apply to Windows NT and 2000. This is to include mixed case, digits and symbols or punctuation or at least two of the three. Mixed case makes no significant difference as long as LANMAN hashes exist. For the next several years, mixed case makes passwords harder to type and remember but does not provide any meaningful security advantage in the Windows world.

What will make a difference is to include letters, digits and two symbols or punctuation characters and to be sure that one of them is from the following: ~ `[ ] { } ; ' : " , . / \ < > ? |. There is also the possibility of including "ALT characters" which will be discussed further below. The reason for this selection is that there are three fairly well known tools for cracking NT passwords: L0phtCrack, John the Ripper and Crack 5. John and Crack are complex command line tools that require significant effort to install; they're also free. In 2001 the time limited shareware ($100) GUI version of L0phtCrack had a simple standard Windows install and was just as simple to use. Within a minute or two after downloading, you can have it installed and cracking passwords. It was considered the fastest cracker and generally worth the price.

LC5 Password Cracker

The preceding statement was true of the previous version l0phtcrack 2. After L0phtCrack became commercialized, it was subsequently called LC3, LC4, and then LC5. It passed through multiple vendors and became subject to standard Windows software price inflation. The product is purchased, upgraded to support the current Windows version, mostly window dressing features added and the price raised multiple times. It's currently owned by Symantec or a subsidiary and is no longer sold to new customers due to U.S. export restrictions; support is expected to end at the end of 2006. According to Wikipedia a good freeware replacement called LCP is available from http://www.lcpsoft.com/english/index.html.

Perhaps the most useful new feature that LC3 introduced is the use of multiple computers on the same password set. Before, this would have required tricky manual set up of configuration files and manual coordination of the results. If a large number of desktop machines that are otherwise not in use can be used frequently, it may actually be practical to insure NT and 2000 passwords are among the strongest the platform allows.

Previously the old command line version was distributed as both source and binary executables from the same site as the commercial version. The l0phtcrack 1.5 source remains available. If an executable version of l0phtcrack 1.5 is still available for download, I could not find one. On http://sectools.org/tools2.html item #27, the second on this page (late 2006), under the heading of L0phtcrack tells where you can get a trial version (and how to extend it indefinitely), though suggests other tools may be superior.

Before, if you really wanted to test the product or only wanted it for "one time use", the trial version had everything you needed. Later versions are licensed and priced in such a way that it can only be justified for larger organizations that plan to use it on an ongoing basis. As I don't believe its productive to conduct ongoing internal password cracking as a useful security measure, I could not recommend LC3 - LC5 unless the licensing is such that the multi computer feature can and will be used on a really frequent basis. (The license displayed in the downloadable version of LC3 includes no references to the multi machine capabilities.) Given the weakness of the LANMAN hash, this might allow an organization to apply more computing power than a potential opponent could reasonably be expected to apply to the problem.

l0phtcrack 2 represented a reasonable tradeoff between ease of use and functionality. Given the license and pricing changes with LC3, if I thought that periodic, internal password cracking was of real value, I'd more likely go to the trouble to install Crack or John the Ripper on NT or 2000 because of their significantly greater dictionary transformation capabilities.

One possible benefit of LC3 - LC5 is that it's expensive enough that few who want it for illicit purposes would pay the price and without paying they won't have the brute force option. The shortened trial period also reduces the usefulness to potential intruders but unless the technical measures to enforce the trial period are really strong, the license terms don't matter. Anyone using it to gain unauthorized access to systems belonging to others, won't care about license terms either.

Potential intruders with illicit off-hour access to a large number of computers will love the multi computer feature. Even without brute force but with large custom dictionaries, the large majority of passwords at most sites should be available within a 15 day trial period. It would require very well planned technical measures to prevent installation on a new computer from starting a new trial period.

L0phtCrack has four character sets to choose from. No feature changes are listed regarding this, so it should be applicable to LC3:

A-Z
A-Z0-9
A-Z0-9 !@# $%^&*-_=+
A-Z0-9 !@# $%^&*-_=+~`[]{};':",./ \< >?|

A space is part of the third and fourth sets. If all your passwords include one character from the punctuation and bracket characters that appear in the fourth group, then the cracking tool most likely to be used against you, will never get any of your passwords if default settings are used and will be forced to use the entire 95 character, printable ASCII character set to crack your passwords. This greatly slows its operation. I suggest 2 symbol or punctuation characters, one from each of the two L0phtCrack groups, so that if the next version allows selecting punctuation and brackets before the top of the keyboard symbols, your passwords don't suddenly become weaker. Each 7 character piece should contain the full range of characters. NT passwords are already so weak, they need all the strength that can be put into them. Note the newer competitor, LCP, from Russia can use the extended non ASCII characters.

On a PIII 500, L0phtCrack can process all possible LANMAN passwords in about 95 days. The fastest desktop computers can probably reduce this to less than 30 days; it's not known if L0phtCrack can benefit from multiple CPUs. Cracking efforts can be spread across multiple computers. Considering that the previous was written in 2001, the fastest desktop systems in 2006, can probably do the entire printable ASCII character set in several days, unless backwards LANMAN compatibility is disabled.

Thus, NT and Windows 2000 passwords need to be regarded as crackable by brute force methods. A potential intruder might obtain your SAM via an untrustworthy or former employee, offsite backup media, a buffer overflow in a service, a poorly configured web server with buggy applications or any of several remote exploits that an improperly configured NT machine may expose. If so, and the intruder is willing to devote significant computing resources to the task, ALL of the passwords will be cracked because of the inherent weakness of the LANMAN hash.

Making the Strongest NT and 2000 Passwords

Microsoft documentation mentions "32 special ALT characters" that are allowed in the passwords. Use of these could create strong passwords even with the defective LANMAN storage. These can be typed by holding the Alt key while typing numbers between 128 and 255 on the numeric keypad with the Num Lock indicator on. I have no idea which 32 are allowed in passwords but the first I tried, ALT-144, was accepted. Passwords with at least one of each of letters, digits, symbols and punctuation and these ALT characters would be strong but also very difficult to type and remember.

Thus, the strongest NT passwords should contain an ALT character, two symbols and punctuation, one or two digits and two or three letters. Without the ALT character there should be two or three symbols and punctuation, two to four letters and one or two digits. Each 7 character part should be treated as a separate password. NT passwords should never have even small dictionary words in them. If they do, the worst place to put such a word is at the begining of a 7 character password piece. Putting any dictionary word at the begining of an NT password almost assures that L0phtCrack can break the password and probably in not very much time. With the ALT character included, NT passwords have approximately the same strength as strong 7 character UNIX passwords, if a cracker includes these in its character set. These are probably not brute force crackable but a resource rich and determined cracker might be able to get them. If the cracking tool does not include the ALT characters in its character set, such NT passwords will not be cracked.

The newer LCP can include characters outside the range of the printable ASCII character set, thus making the ALT characters theoretically crackable. LCP, however, is slower than LC5 and the number of non printable ASCII characters so large, that brute force attacks are unlikely to crack passwords including these characters. Where this feature should be most useful is in non English speaking countries, such as Russia where it appears to have been developed. There they would naturally use local dictionaries using characters not seen on an English or US keyboard.

User Passwords

The use of the ALT characters on administrator accounts would be beneficial. There is no easy way to insure that users choose strong passwords. It can't be done by password checking either in a batch mode or interactively, i.e. doing your own cracking because all you can do is ensure only the weakest passwords are caught. To do more would require more CPU than a single machine could possibly provide and a machine devoting 100% of its CPU cycles to password checking won't get much useful work done. There is no way to compete with a cracker who may be willing to devote multiple fast machines to cracking your passwords and who may be willing to wait days or months for results. A user can't wait minutes let alone months to find out if their passwords are acceptable.

The preceding paragraph may not be true, if LC3 is run off-hours on multiple, otherwise unused, desktop computers.

There are no tools to ensure users enter good passwords as they create them. Passflt.dll which comes with SP 2 and latter can't do it. Passflt requires three of the following four: upper case letters, lower case letters, digits and symbols or punctuation. As we've already seen, the upper lower case test is irrelevant. Thus a password like Academy1 will satisfy passflt but this is really ACADEMY1 for the LANMAN hash. It's the simplest variation on a dictionary word that L0phtCrack will have in a few seconds on most computers. There is no technical means to assure users enter punctuation or symbols as part of their passwords on NT. If you train your users and use passflt.dll, it may remind them of the correct ways to make good NT passwords. I've seen nothing to suggest the situation is fundamentally different on Windows 2000.

7 / 14 Character Password Confusion

One mistaken notion, regularly repeated regarding NT passwords is that they should be exactly 7 or 14 characters and that passwords between these lengths are weaker than seven character passwords. This is not necessarily true. The reasoning for this claim is as follows. Because the LANMAN password is broken into two 7 character pieces, passwords between 7 and 14 characters will necessarily have a short second password piece that is easy to crack. This is true. The one and two character pieces are found almost instantaneously and up to 5 characters fall quite quickly. Any six character password will be found before the 7 character passwords are cracked.

The fallacy comes with the assertion that knowing the last part will aid in finding the first 7 character password. It is possible to pick passwords so bad, such as a single long word or pathetically obvious pattern that this may, in rare instances, be true but its likely such passwords would be found even if there were no LANMAN hash and only the NT hash. Any reasonable attempt to create a good password, will have a result where the eighth through thirteenth character give no practical clue to the preceding seven. This will surely be true of any password generator created passwords.

The cracking tools have no direct way to use this inferred knowledge from the quickly cracked second part. To use it, the cracker must correctly infer the first 7 characters or make a series of educated guesses and then manually create a custom dictionary containing these and run the cracker using this new dictionary. So yes, if the last three characters were '789', the first seven might be '0123456' or if the last five were 'werty', the first seven might be '123456q'. But then again they might not. A cracker could spend a lot of time guessing at what he or she thought the first seven characters were.

In the Microsoft knowledge base article on disabling LM authentication, password strength is discussed. According to Microsoft a "strong enough" password should "be at least 11 characters in length, with at least 4 of those characters uppercase, numbers or punctuation." I don't get this because unless you ignore the LANMAN issues, letter case is for all intents and purposes irrelevant but then this wouldn't be the first time Microsoft dismissed a security concern expressed by others. They do not suggest anything like 7 and 14 characters being the best NT password lengths.

It seems obvious to me that 14 characters is strongest but only twice as strong as 7 instead of billions of times stronger. Using all 14 characters, decreases the chance that both will come near the beginning of a brute force generated sequence. The biggest danger of passwords between 7 and 14 characters is that all the digits and punctuation end up in the short password and thus will be found quickly. The 10 character [8=wujvriz is a good NT password as is the 7 character wujv[8= but the 10 character wUJvriZ[8= is a lousy password as is the 7 character WujVRIz. The two good passwords have the character variation where it's needed; the "riz" at the end of the first is simply irrelevant. wUJvirZ[8= is poor because the "[8=" will be broken as a three character password and the case variation in the first 7 characters of both poor passwords, is of no practical use.

If a password has the right type of character diversity, 7 and 14 character passwords may have a better chance that the character diversity is distributed in a useful manner. Telling people to use 7 and 14 character NT passwords is of no practical use unless the characters that matter and don't matter are also explained.

Because of the peculiarities of the LANMAN hash storage, the normal advice on password character diversity simply does not apply to Windows NT and 2000 passwords. If you have clear understanding of what happens with the LANMAN hash, you can make strong NT passwords of any length between 7 and 14 characters but those in positions 8 to 13 are just wasted typing and mental energy. If you don't understand the LANMAN hash, 7 and 14 character passwords are still likely to be weak.

Where 14 character passwords could be most valuable would be if multiple machines were being used to process the same password file. Each would be given a different starting point. One machine might get one half and another machine the other. It would take a manual or other method to correlate the results from different machines to put the halves together. (The preceding is not applicable if LC3 is used in a multi machine configuration.) To benefit from the 14 characters, both 7 character parts should contain a digit, symbol and punctuation.

It's clear with regards to the storage of passwords, NT is much weaker than UNIX. The LANMAN password hash storage problem can and should be rendered moot by tight security in other areas which an administrator can control, by making access to the SAM very difficult. Not allowing NT logins to cross any firewall that separates the local network from the Internet would greatly reduce the chance of any passwords that might be obtained from a misplaced recovery floppy or remote exploit, from being successfully used.

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in http://GeodSoft.com/terms.htm (or http://GeodSoft.com/cgi-bin/terms.pl). These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.