[Geeks are Sexy] technology news

Tuesday, May 23, 2006

Preventing XP from Storing an LM Hash of your Password in the SAM Database

As you probably already know, Windows saves your user password in something called the SAM Database. It can store it using 2 different password presentations, or "hashes": The Lan Manager hash (LM hash) and the Windows NT Hash (NT hash). NT Hashes are considered to be pretty secure, but unfortunately, LM ones are not and are prone to brute force attacks.

There are 2 ways you can force XP to store your password using the NT hash presentation, and here they are:

1-Use a password that is longer then 14 characters

This is by far the simplest technique. Just use a password that is longer then 14 characters. If you do this, Windows will store a meaningless LM Hash value in the SAM database and use an NT Hash to represent your password instead.

2-Add up the NoLMHash value to the registry

This registry hack will force windows XP to store your password using the NT Hash presentation.

(Warning: Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft or I cannot guarantee that these problems can be solved. Modify the registry at your own risk.)

  • Start, run, type regedit, click OK
  • Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  • Under the Lsa key, create a DWORD Value named NoLMHash, and assign a value of 1 to it (as shown in the screenshot below)
  • Restart your computer, and change your password.

VoilĂ , you are done. You might want to test the strenght of your password via a brute force attack before and after having done the procedure. This guide will show you how to do this.

Other [Geeks Are Sexy] technology articles


  • If you have multiple computers and they are all under the same domain, you can implement a group policy on the DC (domain controller) to apply this rule to all of your systems.

    1. In Group Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.

    2. In the list of available policies, double-click Network security: Do not store LAN Manager hash value on next password change.

    3. Click Enabled, and then click OK.

    By Anonymous John Grozniac, at 12:35 PM  

  • Anon: Fixed, I wasn't on my computer when I made the screenshot, and forgot to change the value while I was there :)

    By Blogger Kiltak, at 8:50 PM  

  • there is already a string in the registry called nolmhash, I forget where it is so just Ctrl F and find it, and you don't need to restart your PC, just Ctrl+Alt+Del and end explorer.exe then WindowsKey+R and type in explorer.exe to restart explorer, that will refresh the registry. And a slight typo-

    the pasword only has to be longer then 14 characters.

    By Anonymous Anonymous, at 2:32 PM  

  • Yeah, I specified the name of the key in case it wasn't there, but most of the time, it is

    By Blogger Kiltak, at 3:09 PM  

Post a Comment

<< Home