LM Hash - Security Weaknesses

Security Weaknesses

Although it is based on DES, a well-studied block cipher, the LM hash is not a true one-way function as the password can be determined from the hash because of several weaknesses in its design: Firstly, passwords are limited to a maximum of only 14 characters, giving a theoretical maximum keyspace of with the 95 ASCII printable characters.

Secondly, passwords longer than 7 characters are divided into two pieces and each piece is hashed separately; this weakness allows each half of the password to be attacked separately at exponentially lower cost than the whole, as only different 7-character password pieces are possible with the same character set. By mounting a brute force attack on each half separately, modern desktop machines can crack alphanumeric LM hashes in a few hours. In addition, all lower case letters in the password are changed to upper case before the password is hashed, which further reduces the key space for each half to .

The LM hash also does not use cryptographic salt, a standard technique to prevent pre-computed dictionary attacks. A time-memory trade-off cryptanalysis attack, such as a rainbow table, is therefore feasible. This also has the side effect that the second half of the hash for any password that is shorter than eight characters will always render the constant value of 0xAAD3B435B51404EE, making it easy to identify short passwords on sight. In 2003, Ophcrack, an implementation of the rainbow table technique, was published. It specifically targets the weaknesses of LM encryption, and includes pre-computed data sufficient to crack virtually all alphanumeric LM hashes in a few seconds. Many cracking tools, e.g. RainbowCrack, L0phtCrack and Cain, now incorporate similar attacks and make cracking of LM hashes fast and trivial.

A final weakness of LM hashes lies in their implementation — since they change only when a user changes their password, they can be used to carry out a pass the hash side channel attack.