GCIH · Question #777
What password characteristic could you require to eliminate the use of LANMAN hashes and restrict the local authentication to NT in a modern Windows system?
The correct answer is B. A minimum password length of 15 characters. LM (LANMAN) hashes can only be computed for passwords up to 14 characters long; enforcing a minimum password length of 15 characters prevents Windows from generating an LM hash entirely.
Question
What password characteristic could you require to eliminate the use of LANMAN hashes and restrict the local authentication to NT in a modern Windows system?
Options
- AA maximum password length of 14 characters
- BA minimum password length of 15 characters
- CA minimum or 1 lowercase character
- DA minimum of 1 uppercase character
How the community answered
(41 responses)- A12% (5)
- B78% (32)
- C7% (3)
- D2% (1)
Why each option
LM (LANMAN) hashes can only be computed for passwords up to 14 characters long; enforcing a minimum password length of 15 characters prevents Windows from generating an LM hash entirely.
Setting a maximum of 14 characters guarantees every password falls within the LM hashing length limit, which ensures LM hashes are always generated rather than preventing them.
The LM hash algorithm splits the password into two 7-character chunks padded to exactly 14 characters, so it is mathematically impossible to compute an LM hash for any password of 15 or more characters. When a password exceeds 14 characters, Windows stores only the NT hash, eliminating the weaker LM hash from the credential store and restricting local authentication to NTLM or NTLMv2.
Including a lowercase character is a complexity requirement and has no effect on which hash algorithm Windows uses; LM vs NT selection is determined solely by password length.
Requiring an uppercase character affects password complexity but does not influence hash type selection; only exceeding the 14-character LM limit prevents LM hash creation.
Concept tested: LANMAN hash elimination via minimum password length
Source: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change
Topics
Community Discussion
No community discussion yet for this question.