nerdexam
EC-Council

312-50V11 · Question #327

What statement is true regarding LM hashes?

The correct answer is D. LM hashes are not generated when the password length exceeds 15 characters.. LM (LAN Manager) hashes have well-known weaknesses, including not being generated at all when the Windows password exceeds 14 characters.

System Hacking

Question

What statement is true regarding LM hashes?

Options

  • ALM hashes consist in 48 hexadecimal characters.
  • BLM hashes are based on AES128 cryptographic standard.
  • CUppercase characters in the password are converted to lowercase.
  • DLM hashes are not generated when the password length exceeds 15 characters.

How the community answered

(23 responses)
  • A
    4% (1)
  • C
    4% (1)
  • D
    91% (21)

Why each option

LM (LAN Manager) hashes have well-known weaknesses, including not being generated at all when the Windows password exceeds 14 characters.

ALM hashes consist in 48 hexadecimal characters.

LM hashes are 32 hexadecimal characters long (128-bit output split into two 64-bit halves), not 48 characters.

BLM hashes are based on AES128 cryptographic standard.

LM hashes are based on DES (Data Encryption Standard), not AES128.

CUppercase characters in the password are converted to lowercase.

LM hashing converts lowercase characters to UPPERCASE before hashing, not the reverse, which reduces the keyspace and weakens the hash.

DLM hashes are not generated when the password length exceeds 15 characters.Correct

Windows does not generate an LM hash when a password is longer than 14 characters; instead, only an NT hash is stored. This is a security behavior where Microsoft effectively disables the weaker LM hash for long passwords, making the account more resistant to LM-based cracking attacks.

Concept tested: LM hash algorithm behavior and limitations

Source: https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password

Topics

#LM hashes#Windows password storage#password length limit#legacy authentication

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice