LM Hashes are Stupid ==================== (why your Windows passwords should be >14 characters long) First, an overview of the process used to compute an LM hash: The LM hash (used by Windows for <15 character passwords): 0. Convert any letters in the password to uppercase (some accented characters are also converted in some way) 1. Null-pad the password until it is 14 characters long. 2. Break the password into two 7 characters chunks. 3. Convert each chunk into a 56 bit DES key (look at it as a bit string, and add a 0 after every 7 bits) 4. Use each chunk to DES encrypt the string: "KGS!@#$%" 5. Stick the two results together to get the final LM hash. Steps 3-4 aren't really significant. The important thing is that cracking your 14-character password is now equivalent to cracking 2 7-character passwords. NTLM hashes, which don't have this limitation (although they are supposedly bad for other reasons) are far more difficult to crack. Windows stores NTLM hashes of all passwords. Unfortunately, for backwards compatibility with Windows 98 (?), it stores LM hashes for passwords <15 characters long. So now for some computation: Most people have an alphanumeric password. Since case doesn't matter, that's a character set of size 36. Let's even assume that the password is the maximum length, 14 characters. Here are the number of hashes that one would need to compute in order to brute force hashes of each type (we'll even ignore the fact that NTLM hashes would be case-sensitive[1]): NTLM: 36^14 = 6140942214464815497216 LM: 36^7 = 78364164096 Let's (conservatively) assume that I can compute about 4 million hashes per second. That's about 1,535,235,553,616,203 seconds for the first one, or about 48,682,000 years. For LM hashes, the time is closer to 5.4 hours. So just considering the case of brute forcing a password, this little demonstration has hopefully made clear the benefits of using a 15 character or longer password on Windows computers. [1] Actually, let's not: NTLM: 62^14 = 12401769434657526912139264 Assuming about 4 million hashes per second, this comes out to about 98,314,382,250 years.