Why NT Passwords Are Weak

Windows NT hashes passwords before storing them in the SAM database. Hashing processes a variable length sequence of bytes (e.g., a password) and yields another fixed-length sequence of bytes, the hash. Each unique password produces an unpredictable hash. When a user logs on and enters a password, NT hashes the candidate password and compares it to the user's official hash in the SAM. If the hashes match, NT authenticates the user.

Hashing provides protection because someone who steals a copy of the SAM can't determine the passwords without performing several years of brute-force computations to hash every possible password until a matching hash appears. However, if L0pht Heavy Industries' L0phtCrack acquires a copy of your SAM, the program can often quickly yield most of your passwords.

Although NT's hash algorithm provides reasonable protection for passwords in the SAM, the OS's support for a LAN Manager hash makes NT vulnerable. LAN Manager hashes are weak by today's password-cracking standards for several reasons. First, LAN Manager passwords are case insensitive, so even if you specify an uppercase and lowercase password, NT converts the password to uppercase before creating the LAN Manager hash. Second, although you specify a password of as many as 14 characters, you gain little security with passwords longer than 7 characters. For passwords longer than 7 characters, LAN Manager creates two weak hashes; the first hash uses the first 7 characters, and the second hash uses the remaining characters.

To determine passwords, L0phtCrack first cracks the LAN Manager hash. L0phtCrack processes a list of English words, uses the LAN Manager hash algorithm to hash each word, and compares the candidate hash to the hash in the SAM. If they match, L0phtCrack has the password. If L0phtCrack reaches the end of the word list and doesn't have all the passwords, the program goes through its word list again, this time adding a few characters to the beginning and end of each word (e.g., password1, password2). To find remaining passwords, L0phtCrack tries every possible combination of passwords.

After L0phtCrack cracks the LAN Manager hash, it has the uppercase version of the password. Then, the program quickly hashes all the password's case variations and compares them to the NT hash, eventually yielding the user's uppercase and lowercase password. Syskey, a utility in NT 4.0 Service Pack 3 (SP3), provides some protection by encrypting hashes in the SAM. However, just as the SAM stores two hashes (i.e., the NT hash and the LAN Manager hash), an NT client sends both an NT and a LAN Manager response to a server's challenge at logon. Despite Syskey, L0phtCrack can capture and crack the NT LAN Manager (NTLM) challenge and response authentication protocol packets from the network when a user logs on to a remote system. NT 4.0 SP4 addresses this risk by introducing NTLMv2. This version of NTLM lets you prevent transmission of the weak LAN Manager response, thus slowing L0phtCrack considerably. (For information about protecting NT passwords, see "Protect Your Passwords," October 1998.)