Wednesday, June 12, 2019

LM Hash

LM Hash

LM Hashes are weak and archaic, an LM hash does not use a salt, and therefore any identical passwords will have identical hash values. Additionally, the LM hash doesn't process the password as a whole. Instead, it null-pads it to 14 characters (if needed), then splits that value into 7-character chunks and hashes each before sticking them back together. Thus, if the first 7 characters are identical to the last 7, the first 8 bytes of the LM hash will match the last 8.

The LM hash value for 7 null characters is AAD3B435B51404EE. Therefore a password less than 8 characters long will end with AAD3B435B51404EE, and an empty password will always (since LM hashing doesn't use salt) be exactly AAD3B435B51404EEAAD3B435B51404EE.

There is one more caveat, however. LM hashing does not at all support passwords of 15 characters or greater. When this is encountered, the user may receive a prompt asking them to confirm they want to use a password that will be incompatible with older (LM hash dependent) software. Then, the system will store a null LM hash for that user. I personally recommend that people use 15+ characters in their passwords for precisely this reason.

It is recommended that LM Hashes are disabled thus (this course can also be a GPO)

  • Locate and then click the following key:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  • On the Edit menu, click Add Key, type NoLMHash,, set the value to 1
  • Quit Registry Editor.
  • Restart the computer, and then change your password to make the setting active.

In cryptography, a salt is random data that is used as an additional input to a one-way function that "hashes" data, a password or passphrase. Salts are used to safeguard passwords in storage. Historically a password was stored in plaintext on a system, but over time additional safeguards developed to protect a user's password against being read from the system. A salt is one of those methods.

A new salt is randomly generated for each password. In a typical setting, the salt and the password (or its version after Key stretching) are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database. Hashing allows for later authentication without keeping and therefore risking the plaintext password in the event that the authentication data store is compromised.

Salts defend against dictionary attacks or against their hashed equivalent, a pre-computed rainbow table attack. Since salts do not have to be memorized by humans they can make the size of the rainbow table required for a successful attack prohibitively large without placing a burden on the users. Since salts are different in each case, they also protect commonly used passwords, or those users who use the same password on several sites, by making all salted hash instances for the same password different from each other.


No comments:

Post a Comment