NT's Poor Password Encryption

Windows NT and 2000 Storage of LANMAN Password Hashes Assure That Normal NT and 2000 Passwords Can Be Cracked

• LANMAN Password Hash Storage
• LC5 Password Cracker
• Making the Strongest NT and 2000 Passwords
• User Passwords
• 7 / 14 Character Password Confusion

LANMAN Password Hash Storage

Because Windows NT maintains backward compatibility with Windows 95 and 98 and the LANMAN authentication they support, Windows NT passwords are particularly easy to crack. A LANMAN password is upper cased, padded to 14 characters, divided into two seven character parts, each of which is used as a key to encrypt a constant. The two hashed results are concatenated and stored as the LANMAN hash which is stored along with the NT hash in the SAM part of the registry.

Two seven character pieces are much easier to break than a single 14 character sequence. Just how much easier depends on the character set but is at least 7 and more likely 9 or 10 orders of magnitude. Also, all LANMAN passwords are treated as all upper case so that if a mixed case password is used, all lower case letters are uppercased before the encryption is done. This removes 26 characters that could have been used, also greatly simplifying cracking but how much depends on how many characters are in the password. 8 character LANMAN passwords are about 890 times easier to crack than their NT counterparts should be and 14 character LANMAN passwords are about 450 trillion (15 decimal places) times easier to crack than their NT counterparts should be.

Unfortunately, getting the LANMAN password pretty much gives the NT password also. After the LANMAN password is cracked, 2 to the nth power where n is the length of the password, gives the maximum number of case variations that must be tried to get the NT password. On contemporary hardware, this will probably take less than a second.

NT has a registry setting to disable the use of LANMAN authentication. This merely prevents clients using LANMAN authentication from logging in; it does not clear the LANMAN hashes from the SAM. It doesn't even prevent new LANMAN hashes from being created and stored after the setting has been changed. NT and 2000 password storage is a bad security joke. It is essential that Windows NT and 2000 password hashes be kept out of the wrong hands.

There's another way that Windows NT passwords are weak and this applies to the NT hash as well as the LANMAN. The standard UNIX approach to passwords includes a random salt that can have 4096 values. Thus, each unique UNIX password has 4096 possible hashes (for each specific encryption algorithm). The salt forces every account's password to be cracked separately, even if two or more accounts happen to share the same underlying plain text password. It increases the computation and storage required to save a precomputed list of password hashes by a factor of 4096.

NT does not use any such approach. It does appear to vary how the Administrator password is hashed from machine to machine but for all other users, the same password encrypts to the same hash regardless of username or the machine it's generated for.

It's not clear how significant the changes to Windows 2000 are. If Active Directory is enabled, then the password hashes are stored there instead of the SAM. This will change the mechanics of obtaining the password hashes. What is clear, is that as long as LANMAN hashes are stored with their Windows NT and 2000 conterparts, the essentials of cracking Windows 2000 passwords will remain the same as cracking NT passwords. Simply disabling LANMAN authentication on Windows 2000 will not clear the LANMAN hashes. Windows 2000 has not adopted anything like the salt idea.

In the summer of 2001, Microsoft finally provided a method to actually clear the LANMAN hashes for Windows 2000 and XP but not NT. See http://support.microsoft.com/default.aspx?scid=kb;EN-US;q299656 for details. After the described registry changes are made, passwords must be changed, so that the new password will not be stored with the LANMAN hash. Authentication by Windows 95 and 98 clients will be affected; see the article for details.

One of the most common recommendations regarding passwords does not apply to Windows NT and 2000. This is to include mixed case, digits and symbols or punctuation or at least two of the three. Mixed case makes no significant difference as long as LANMAN hashes exist. For the next several years, mixed case makes passwords harder to type and remember but does not provide any meaningful security advantage in the Windows world.

What will make a difference is to include letters, digits and two symbols or punctuation characters and to be sure that one of them is from the following: ~ `[ ] { } ; ' : " , . / \ < > ? |. There is also the possibility of including "ALT characters" which will be discussed further below. The reason for this selection is that there are three fairly well known tools for cracking NT passwords: L0phtCrack, John the Ripper and Crack 5. John and Crack are complex command line tools that require significant effort to install; they're also free. In 2001 the time limited shareware ($100) GUI version of L0phtCrack had a simple standard Windows install and was just as simple to use. Within a minute or two after downloading, you can have it installed and cracking passwords. It was considered the fastest cracker and generally worth the price.

LC5 Password Cracker

The preceding statement was true of the previous version l0phtcrack 2. After L0phtCrack became commercialized, it was subsequently called LC3, LC4, and then LC5. It passed through multiple vendors and became subject to standard Windows software price inflation. The product is purchased, upgraded to support the current Windows version, mostly window dressing features added and the price raised multiple times. It's currently owned by Symantec or a subsidiary and is no longer sold to new customers due to U.S. export restrictions; support is expected to end at the end of 2006. According to Wikipedia a good freeware replacement called LCP is available from http://www.lcpsoft.com/english/index.htm.

Perhaps the most useful new feature that LC3 introduced is the use of multiple computers on the same password set. Before, this would have required tricky manual set up of configuration files and manual coordination of the results. If a large number of desktop machines that are otherwise not in use can be used frequently, it may actually be practical to insure NT and 2000 passwords are among the strongest the platform allows.

Previously the old command line version was distributed as both source and binary executables from the same site as the commercial version. The l0phtcrack 1.5 source remains available. If an executable version of l0phtcrack 1.5 is still available for download, I could not find one. On http://sectools.org/tools2.html item #27, the second on this page (late 2006), under the heading of L0phtcrack tells where you can get a trial version (and how to extend it indefinitely), though suggests other tools may be superior.

Before, if you really wanted to test the product or only wanted it for "one time use", the trial version had everything you needed. Later versions are licensed and priced in such a way that it can only be justified for larger organizations that plan to use it on an ongoing basis. As I don't believe its productive to conduct ongoing internal password cracking as a useful security measure, I could not recommend LC3 - LC5 unless the licensing is such that the multi computer feature can and will be used on a really frequent basis. (The license displayed in the downloadable version of LC3 includes no references to the multi machine capabilities.) Given the weakness of the LANMAN hash, this might allow an organization to apply more computing power than a potential opponent could reasonably be expected to apply to the problem.

l0phtcrack 2 represented a reasonable tradeoff between ease of use and functionality. Given the license and pricing changes with LC3, if I thought that periodic, internal password cracking was of real value, I'd more likely go to the trouble to install Crack or John the Ripper on NT or 2000 because of their significantly greater dictionary transformation capabilities.

One possible benefit of LC3 - LC5 is that it's expensive enough that few who want it for illicit purposes would pay the price and without paying they won't have the brute force option. The shortened trial period also reduces the usefulness to potential intruders but unless the technical measures to enforce the trial period are really strong, the license terms don't matter. Anyone using it to gain unauthorized access to systems belonging to others, won't care about license terms either.

Potential intruders with illicit off-hour access to a large number of computers will love the multi computer feature. Even without brute force but with large custom dictionaries, the large majority of passwords at most sites should be available within a 15 day trial period. It would require very well planned technical measures to prevent installation on a new computer from starting a new trial period.

L0phtCrack has four character sets to choose from. No feature changes are listed regarding this, so it should be applicable to LC3:

A-Z
A-Z0-9
A-Z0-9 !@# $%^&*-_=+
A-Z0-9 !@# $%^&*-_=+~`[]{};':",./ \< >?|

A space is part of the third and fourth sets. If all your passwords include one character from the punctuation and bracket characters that appear in the fourth group, then the cracking tool most likely to be used against you, will never get any of your passwords if default settings are used and will be forced to use the entire 95 character, printable ASCII character set to crack your passwords. This greatly slows its operation. I suggest 2 symbol or punctuation characters, one from each of the two L0phtCrack groups, so that if the next version allows selecting punctuation and brackets before the top of the keyboard symbols, your passwords don't suddenly become weaker. Each 7 character piece should contain the full range of characters. NT passwords are already so weak, they need all the strength that can be put into them. Note the newer competitor, LCP, from Russia can use the extended non ASCII characters.

On a PIII 500, L0phtCrack can process all possible LANMAN passwords in about 95 days. The fastest desktop computers can probably reduce this to less than 30 days; it's not known if L0phtCrack can benefit from multiple CPUs. Cracking efforts can be spread across multiple computers. Considering that the previous was written in 2001, the fastest desktop systems in 2006, can probably do the entire printable ASCII character set in several days, unless backwards LANMAN compatibility is disabled.

Thus, NT and Windows 2000 passwords need to be regarded as crackable by brute force methods. A potential intruder might obtain your SAM via an untrustworthy or former employee, offsite backup media, a buffer overflow in a service, a poorly configured web server with buggy applications or any of several remote exploits that an improperly configured NT machine may expose. If so, and the intruder is willing to devote significant computing resources to the task, ALL of the passwords will be cracked because of the inherent weakness of the LANMAN hash.

Making the Strongest NT and 2000 Passwords

Microsoft documentation mentions "32 special ALT characters" that are allowed in the passwords. Use of these could create strong passwords even with the defective LANMAN storage. These can be typed by holding the Alt key while typing numbers between 128 and 255 on the numeric keypad with the Num Lock indicator on. I have no idea which 32 are allowed in passwords but the first I tried, ALT-144, was accepted. Passwords with at least one of each of letters, digits, symbols and punctuation and these ALT characters would be strong but also very difficult to type and remember.

Thus, the strongest NT passwords should contain an ALT character, two symbols and punctuation, one or two digits and two or three letters. Without the ALT character there should be two or three symbols and punctuation, two to four letters and one or two digits. Each 7 character part should be treated as a separate password. NT passwords should never have even small dictionary words in them. If they do, the worst place to put such a word is at the begining of a 7 character password piece. Putting any dictionary word at the begining of an NT password almost assures that L0phtCrack can break the password and probably in not very much time. With the ALT character included, NT passwords have approximately the same strength as strong 7 character UNIX passwords, if a cracker includes these in its character set. These are probably not brute force crackable but a resource rich and determined cracker might be able to get them. If the cracking tool does not include the ALT characters in its character set, such NT passwords will not be cracked.

The newer LCP can include characters outside the range of the printable ASCII character set, thus making the ALT characters theoretically crackable. LCP, however, is slower than LC5 and the number of non printable ASCII characters so large, that brute force attacks are unlikely to crack passwords including these characters. Where this feature should be most useful is in non English speaking countries, such as Russia where it appears to have been developed. There they would naturally use local dictionaries using characters not seen on an English or US keyboard.

User Passwords

The use of the ALT characters on administrator accounts would be beneficial. There is no easy way to insure that users choose strong passwords. It can't be done by password checking either in a batch mode or interactively, i.e. doing your own cracking because all you can do is ensure only the weakest passwords are caught. To do more would require more CPU than a single machine could possibly provide and a machine devoting 100% of its CPU cycles to password checking won't get much useful work done. There is no way to compete with a cracker who may be willing to devote multiple fast machines to cracking your passwords and who may be willing to wait days or months for results. A user can't wait minutes let alone months to find out if their passwords are acceptable.

The preceding paragraph may not be true, if LC3 is run off-hours on multiple, otherwise unused, desktop computers.

There are no tools to ensure users enter good passwords as they create them. Passflt.dll which comes with SP 2 and latter can't do it. Passflt requires three of the following four: upper case letters, lower case letters, digits and symbols or punctuation. As we've already seen, the upper lower case test is irrelevant. Thus a password like Academy1 will satisfy passflt but this is really ACADEMY1 for the LANMAN hash. It's the simplest variation on a dictionary word that L0phtCrack will have in a few seconds on most computers. There is no technical means to assure users enter punctuation or symbols as part of their passwords on NT. If you train your users and use passflt.dll, it may remind them of the correct ways to make good NT passwords. I've seen nothing to suggest the situation is fundamentally different on Windows 2000.

7 / 14 Character Password Confusion

One mistaken notion, regularly repeated regarding NT passwords is that they should be exactly 7 or 14 characters and that passwords between these lengths are weaker than seven character passwords. This is not necessarily true. The reasoning for this claim is as follows. Because the LANMAN password is broken into two 7 character pieces, passwords between 7 and 14 characters will necessarily have a short second password piece that is easy to crack. This is true. The one and two character pieces are found almost instantaneously and up to 5 characters fall quite quickly. Any six character password will be found before the 7 character passwords are cracked.

The fallacy comes with the assertion that knowing the last part will aid in finding the first 7 character password. It is possible to pick passwords so bad, such as a single long word or pathetically obvious pattern that this may, in rare instances, be true but its likely such passwords would be found even if there were no LANMAN hash and only the NT hash. Any reasonable attempt to create a password, will have a result where the eighth through thirteenth character give no practical clue to the preceding seven. This will surely be true of any password generator created passwords. You can create lousy long passwords on any system that are weaker than shorter passwords.

The cracking tools have no direct way to use this inferred knowledge from the quickly cracked second part. To use it, the cracker must correctly infer the first 7 characters or make a series of educated guesses and then manually create a custom dictionary containing these and run the cracker using this new dictionary. So yes, if the last three characters were '789', the first seven might be '0123456' or if the last five were 'werty', the first seven might be '123456q'. But then again they might not. A cracker could spend a lot of time guessing at what he or she thought the first seven characters were.

In the Microsoft knowledge base article on disabling LM authentication, password strength is discussed. According to Microsoft a "strong enough" password should "be at least 11 characters in length, with at least 4 of those characters uppercase, numbers or punctuation." I don't get this because unless you ignore the LANMAN issues, letter case is for all intents and purposes irrelevant but then this wouldn't be the first time Microsoft dismissed a security concern expressed by others. They do not suggest anything like 7 and 14 characters being the best NT password lengths.

It seems obvious to me that 14 characters is strongest but only twice as strong as 7 instead of billions of times stronger. Using all 14 characters, decreases the chance that both will come near the beginning of a brute force generated sequence. The biggest danger of passwords between 7 and 14 characters is that all the digits and punctuation end up in the short password and thus will be found quickly. The 10 character [8=wujvriz is a good NT password as is the 7 character wujv[8= but the 10 character wUJvriZ[8= is a lousy password as is the 7 character WujVRIz. The two good passwords have the character variation where it's needed; the "riz" at the end of the first is simply irrelevant. wUJvirZ[8= is poor because the "[8=" will be broken as a three character password and the case variation in the first 7 characters of both poor passwords, is of no practical use.

If a password has the right type of character diversity, 7 and 14 character passwords may have a better chance that the character diversity is distributed in a useful manner. Telling people to use 7 and 14 character NT passwords is of no practical use unless the characters that matter and don't matter are also explained.

Because of the peculiarities of the LANMAN hash storage, the normal advice on password character diversity simply does not apply to Windows NT and 2000 passwords. If you have clear understanding of what happens with the LANMAN hash, you can make strong NT passwords of any length between 7 and 14 characters but those in positions 8 to 13 are just wasted typing and mental energy. If you don't understand the LANMAN hash, 7 and 14 character passwords are still likely to be weak.

Where 14 character passwords could be most valuable would be if multiple machines were being used to process the same password file. Each would be given a different starting point. One machine might get one half and another machine the other. It would take a manual or other method to correlate the results from different machines to put the halves together. (The preceding is not applicable if LC3 is used in a multi machine configuration.) To benefit from the 14 characters, both 7 character parts should contain a digit, symbol and punctuation.

It's clear with regards to the storage of passwords, NT is much weaker than UNIX. The LANMAN password hash storage problem can and should be rendered moot by tight security in other areas which an administrator can control, by making access to the SAM very difficult. Not allowing NT logins to cross any firewall that separates the local network from the Internet would greatly reduce the chance of any passwords that might be obtained from a misplaced recovery floppy or remote exploit, from being successfully used.

Top of Page - Site Map

Copyright © 2000 - 2006 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth on http://GeodSoft.com/terms.htm. These terms are subject to change. Distribution is subject to the then current terms, or at the choice of the distributor, those defined in a verifiably dated printout or electronic copy of http://GeodSoft.com/terms.htm at the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior permission is obtained from George Shaffer. Distribution in accordance with these terms, for private, unrestricted and uncompensated public access, non profit, or internal company use is allowed.