Editing LAN Manager (section)

==Security weaknesses==
LAN Manager authentication uses a particularly weak method of [[Cryptographic hash function|hashing]] a user's [[password]] known as the LM hash algorithm, stemming from the mid-1980s when viruses transmitted by floppy disks were the major concern.<ref name=SecurityWatch /> Although it is based on [[Data Encryption Standard|DES]], a well-studied [[block cipher]], the LM hash has several weaknesses in its design.<ref>{{cite web
| url=http://download.microsoft.com/download/f/4/a/f4a67fc8-c499-461d-a025-8155fb4f7a0f/Windows%20Passwords%20Master%201.5%20Handout%20-%20Jesper%20Johansson.ppt
| title=Windows Passwords: Everything You Need To Know
| publisher=[[Microsoft]]
| first=Jasper M.
| last=Johansson
| date=June 29, 2004
| access-date=May 12, 2015}}</ref>
This makes such hashes crackable in a matter of seconds using [[rainbow table]]s, or in a few minutes using [[Brute-force attack|brute force]]. Starting with [[Windows NT]], it was replaced by [[NTLM]], which is still vulnerable to rainbow tables, and brute force attacks unless long, unpredictable passwords are used, see [[password cracking]]. NTLM is used for logon with local accounts except on domain controllers since Windows Vista and later versions no longer maintain the LM hash by default.<ref name=SecurityWatch>{{cite web|author1=Jesper Johansson|title=The Most Misunderstood Windows Security Setting of All Time|url=https://learn.microsoft.com/en-us/previous-versions/technet-magazine/cc160954(v=msdn.10)|website=[[Microsoft Docs]]|date=August 31, 2016 |publisher=Microsoft|access-date=October 16, 2023|quote=Although Windows Vista has not been released yet, it is worthwhile to point out some changes in this operating system related to these protocols. The most important change is that the LM protocol can no longer be used for inbound authentication—where Windows Vista is acting as the authentication server.}}</ref> [[Kerberos (protocol)|Kerberos]] is used in Active Directory Environments.

The major weaknesses of LAN Manager authentication protocol are:<ref>Rahul Kokcha</ref>
# Password length is limited to a maximum of 14 characters chosen from the [[ASCII#ASCII printable characters|95 ASCII printable characters]].
# Passwords are not case sensitive. All passwords are converted into uppercase before generating the hash value. Hence LM hash treats PassWord, password, PaSsWoRd, PASSword and other similar combinations same as PASSWORD. This practice effectively reduces the LM hash [[key space (cryptography)|key space]] to 69 characters.
# A 14-character password is broken into 7+7 characters and the hash is calculated for each half separately. This way of calculating the hash makes it dramatically easier to crack, as the attacker only needs to [[brute-force attack|brute-force]] 7 characters twice instead of the full 14 characters. This makes the effective strength of a 14-character password equal to only <math>2\times69^{7} \approx 2^{44}</math>, or twice that of a 7-character password, which is 3.7 trillion times less complex than the <math>69^{14} \approx 2^{86}</math> theoretical strength of a 14-character single-case password. As of 2020, a computer equipped with a high-end [[graphics processor]] (GPUs) can compute 40 billion LM-hashes per second.<ref>[https://www.onlinehashcrack.com/tools-benchmark-hashcat-nvidia-rtx-2070s-super.php Benchmark Hashcat v6.1.1 on RTX 2070S (SUPER)], Mode 3000 LM,  accessed November 29, 2020</ref> At that rate, all 7-character passwords from the 95-character set can be tested and broken in half an hour; all 7-character [[alphanumeric]] passwords can be tested and broken in 2 seconds.
#If the password is 7 characters or less, then the second half of hash will always produce same constant value (0xAAD3B435B51404EE). Therefore, a password is less than or equal to 7 characters long can be identified visibly without using tools (though with high speed GPU attacks, this matters less).
# The hash value is sent to network servers without [[Salt (cryptography)|salting]], making it susceptible to [[man-in-the-middle attack]]s such as [[pass the hash|replay the hash]]. Without salt, [[time–memory tradeoff]]  [[pre-computed dictionary attack]]s, such as a [[rainbow table]], are feasible. In 2003, [[Ophcrack]], an implementation of the rainbow table technique, was published. It specifically targets the weaknesses of LM encryption, and includes pre-computed data sufficient to crack virtually all alphanumeric LM hashes in a few seconds. Many cracking tools, such as [[RainbowCrack]], [[Hashcat]], [[L0phtCrack]] and [[Cain (software)|Cain]], now incorporate similar attacks and make cracking of LM hashes fast and trivial.