nerdexam
EC-Council

312-50V10 · Question #327

What statement is true regarding LM hashes?

The correct answer is D. LM hashes are not generated when the password length exceeds 15 characters.. LM hashes have several well-known weaknesses; among the choices, the technically accurate statement is that Windows does not generate a real LM hash when the password length exceeds a set threshold.

System Hacking

Question

What statement is true regarding LM hashes?

Options

  • ALM hashes consist in 48 hexadecimal characters.
  • BLM hashes are based on AES128 cryptographic standard.
  • CUppercase characters in the password are converted to lowercase.
  • DLM hashes are not generated when the password length exceeds 15 characters.

How the community answered

(48 responses)
  • A
    2% (1)
  • B
    4% (2)
  • C
    6% (3)
  • D
    88% (42)

Why each option

LM hashes have several well-known weaknesses; among the choices, the technically accurate statement is that Windows does not generate a real LM hash when the password length exceeds a set threshold.

ALM hashes consist in 48 hexadecimal characters.

LM hashes produce a 32 hexadecimal character output, not 48 - they consist of two concatenated 16-character DES-based values.

BLM hashes are based on AES128 cryptographic standard.

LM hashes are based on DES (Data Encryption Standard), not AES128 - this is a fundamental property of the legacy LAN Manager authentication protocol.

CUppercase characters in the password are converted to lowercase.

LM hashing converts all password characters to uppercase before processing, not lowercase - this uniformity is one of the reasons the scheme is so weak.

DLM hashes are not generated when the password length exceeds 15 characters.Correct

When a Windows account password exceeds 14 characters, the system stores a static dummy LM hash value rather than computing a real one, effectively disabling the weaker LM hash for long passwords. This behavior is a built-in mitigation because LM hashing splits passwords into two 7-character chunks and is trivially brute-forced. The question states 15 characters, which is slightly imprecise (the actual cutoff is 14), but D is the only factually defensible choice among the options.

Concept tested: LM hash properties, limitations, and password length behavior

Source: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change

Topics

#LM hashes#Windows authentication#password hashing#NTLM

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice