Search A-Z index Help
University of Cambridge Home Physics Dept Home Mike Roses' Home Page TCM Group Home

Notes about Windows and Password Security

I've kind of known that 15 chars is the minimum Windows password length for reasonable security against cracking Windows password hashes, but started to do some research and from:
http://www.securityfocus.com/infocus/1554
"
But things are different with newer versions of Windows. Windows 2000 and XP passwords can now be up to 127 characters in length and so 14 characters is no longer a limit. Furthermore, one little known fact discovered by Urity of SecurityFriday.com is that if a password is fifteen characters or longer, Windows does not even store the LanMan hash correctly. This actually protects you from brute-force attacks against the weak algorithm used in those hashes. If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent to a null password. And since your password is obviously not null, attempts to crack that hash will fail.
"

This suggests, to me, that in an AD environment with only XP/Vista clients and 2003 Server long passwords are not necessary (8 chars should do) as:
"
However, Windows 2000 still often sends LM or NTLM hashes over the network and NTLMv2 is also vulnerable to in-transit (also known as replay) attacks. And since LM and NTLM password hashes are still stored in the registry, you will still be vulnerable to attacks against the SAM.
"
suggests the password hashes are no longer easy to obtain (unless the hacker has a domain admin account which makes the whole thing moot, anyway).

Wikipedia also suggests that in a domain environment the NT hashes are not easily available:
"
Microsoft implemented Kerberos as the preferred authentication protocol for Windows 2000 and Windows 2003 Active Directory domains. Kerberos is typically used when the client is "joined" to the Windows domain, or if a trust relationship with the domain is established in some other way (such as Linux to Windows AD authentication). NTLM is still used in the following situations:

  • The client is authenticating to a server using an IP address.
  • The client is authenticating to a server that belongs to a different
  • Active Directory forest, or doesn't belong to a domain.
  • No Active Directory domain exists (commonly referred to as "workgroup" or "peer-to-peer").
  • Where a firewall would otherwise restrict the ports required by Kerberos (of which there are quite a few)
"
from:
http://en.wikipedia.org/wiki/NTLM

,but maybe this was wishful thinking on my part, so I asked a Windows techie:

"
In summary, yes, in an AD environment with 2000, XP and Vista clients you can have less than 14 character passwords and be secure.

Its very difficult to get a copy of the SAM to get hashes, if someone has that right, you have bigger problems.

To disable the hash save in the local security policy - or Domain or wherever;

Security Settings - Local Policies - Security options

Network Security - Do not store LAN manager hash on next password change.

Change your passwords and off you go.
"

Therefore in an AD environment with XP and Vista clients (i.e. AD is NOT running NT functionality) then you can be quite happy with 8 character passwords...

You can disable everything but NTLMv2 with the:
Network security: LAN Manager Authentication Level
policy configured to level 5.
(thanks Owen)