Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 15 Nov 2012 08:06:41 -0500
From: Rich Rumble <>
Subject: Re: LM with empty strings = password longer than 15 chars?

On Thu, Nov 15, 2012 at 7:25 AM, Aleksey Cherepanov
<> wrote:
> Windows 7 does not support LM hashes. So passwords of any length would
> have LM hashes empty.
It does still support them, BUT by default they are disabled, it can
be re-enabled but that's not a good idea (security wise).
> (Empty LM hashes are a sign of password length greater than 14 only on
> Windows XP (and only if LM hashes are enabled, I guess the most system
> are so)).
This is kinda the same thing, you CAN turn LM on/off in win2k and XP
(as well as the others), it's a good idea to have LM disabled from a
security point of view, but from a recovery point of view it sometimes
makes it harder. If LM is enabled, and it's the blank hash, THEN you
can assume it's 15 or more characters. We always recommend people
disable LM using GPO's. That does not erase current LM hashes, and AD
remembers (8 by default) previous LM hashes even after this setting is
enabled, but once enabled, and passwords from that point do not
remember the LM hash. So once you enable the setting, and change your
password, then only 7 LM hashes are remain in the NTDS.dit file for
that user.
> So you need to load NT hashes. I guess the easiest to do that is to
> add '--format=nt' option to your invocation of John.
Yep, even without knowing the specifics of the LM settings, the blank
hash in the LM spot mean use NT or NT2 (is one faster than the other?
I've never been clear on that...) They are both the same format, so
I'm not sure why there are 2 implementations of it.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.