ProblemYou want to prevent the LanManager (LM) hash for new passwords from being stored in the local Security Accounts Manager (SAM). The LM hash is susceptible to brute force attacks and is primarily used for backward compatibility with Windows 95 and 98 clients. SolutionSet NoLMHash the DWORD value entry under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa to 1. You can accomplish this by modifying the Local Security Policy as described next. Using a graphical user interface
DiscussionThe LM hash uses an old algorithm (pre-Windows NT 4.0) and is considered to be relatively weak compared to the NT hash that is also stored. The LM hash is generated only for passwords that are shorter than 15 characters. So if you are one of the few people who have a password (or passphrase) longer than that, the LM hash is not stored for you. See AlsoMS KB 299656, "How to Prevent Windows from Storing a LAN Manager Hash of Your Password in Active Directory and Local SAM Databases" |