nerdexam
GIAC

GCIH · Question #777

What password characteristic could you require to eliminate the use of LANMAN hashes and restrict the local authentication to NT in a modern Windows system?

The correct answer is B. A minimum password length of 15 characters. LM (LANMAN) hashes can only be computed for passwords up to 14 characters long; enforcing a minimum password length of 15 characters prevents Windows from generating an LM hash entirely.

Vulnerability Exploitation & Privilege Escalation

Question

What password characteristic could you require to eliminate the use of LANMAN hashes and restrict the local authentication to NT in a modern Windows system?

Options

  • AA maximum password length of 14 characters
  • BA minimum password length of 15 characters
  • CA minimum or 1 lowercase character
  • DA minimum of 1 uppercase character

How the community answered

(41 responses)
  • A
    12% (5)
  • B
    78% (32)
  • C
    7% (3)
  • D
    2% (1)

Why each option

LM (LANMAN) hashes can only be computed for passwords up to 14 characters long; enforcing a minimum password length of 15 characters prevents Windows from generating an LM hash entirely.

AA maximum password length of 14 characters

Setting a maximum of 14 characters guarantees every password falls within the LM hashing length limit, which ensures LM hashes are always generated rather than preventing them.

BA minimum password length of 15 charactersCorrect

The LM hash algorithm splits the password into two 7-character chunks padded to exactly 14 characters, so it is mathematically impossible to compute an LM hash for any password of 15 or more characters. When a password exceeds 14 characters, Windows stores only the NT hash, eliminating the weaker LM hash from the credential store and restricting local authentication to NTLM or NTLMv2.

CA minimum or 1 lowercase character

Including a lowercase character is a complexity requirement and has no effect on which hash algorithm Windows uses; LM vs NT selection is determined solely by password length.

DA minimum of 1 uppercase character

Requiring an uppercase character affects password complexity but does not influence hash type selection; only exceeding the 14-character LM limit prevents LM hash creation.

Concept tested: LANMAN hash elimination via minimum password length

Source: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change

Topics

#LANMAN hash#NT hash#password length policy#Windows authentication

Community Discussion

No community discussion yet for this question.

Full GCIH Practice