System HardeningWindows

LM Hashes

LM hashing is a compromised hashing function and has been since early 2000. In this post I cover how to remove passwords stored in LM format.

Google is your friend and has numerous articles on LM hashes here. Likewise, Microsoft also published a detailed article on LM hashes here.

The Problem

Password Hashes

When you enter a new account password, or change your previous password, Windows converts the clear-text password to an encrypted hash and saves it on your system. From that point onward, when you enter your password to log in, Windows compares the password hash you entered against the stored password hash.

As a high-level example, a cleartext password of ‘Tu3sday2014‘ converted to a LM hash would be ‘7c1733fb3ce6682615c5627ce31416b2’.

The problem with LM hashes is because:

  1. Passwords are restricted to a maximum of 14 characters.
  2. Passwords are converted to UPPERCASE.
  3. The maximum 14 character password is split into half (7characters : 7characters)
  4. Passwords under 14 characters are padded with null bytes.

So the previous example of ‘Tu3sday2014’ would look like this – ‘TU3SDAY : 2014

LM Capture

Upon reviewing the picture above, you could argue that the passwords is reasonably strong (and believe me when I say, I’ve seen far worse – Usually in the format of ‘Companyname1’, ‘December17’ or ‘Spring2018’). Since Windows Server 2003 and Windows XP however, Microsoft introduced NTLM hashes.

NTLM Hashes

NTLM is the successor of the LM authentication protocol and despite the fact NTLM has been around for approximately 15+ years, servers are STILL storing passwords in LM format! Unfortunately most IT Technicians aren’t aware that when they migrate their 2003 server to a 2016 server, they also migrate the legacy security controls too. So what’s the solution?

The Solution

  1. Disable the storage of LM hashes in Group Policy
  2. Force a password reset to all users

Disabling LM passwords in Group Policy

To disable the storage of LM passwords via GPO open Group Policy Management from your DC and navigate to the following path:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
\Network Security: Do not store LAN Manager has value on next password change-Enable

Resetting User’s Passwords

For instructions on how to individually reset a user’s password visit here.

For instructions on how to reset all user’s passwords with a PowerShell script, visit here.