A security audit requires that no legacy LAN Manager (LM) password hashes be stored on any Windows servers in the environment. The infrastructure team would prefer to satisfy the requirement only by raising the minimum password length for all administrator accounts, avoiding any Group Policy or registry changes that could disrupt older applications. What is the shortest minimum length that will prevent Windows from generating an LM hash for newly created or changed passwords?
Windows automatically creates an LM hash only when a password is 14 characters or fewer. If the password is 15 characters or longer, Windows skips the LM-hash calculation and keeps only the stronger NT hash. Therefore, setting the minimum length to 15 characters is the simplest way to eliminate LM hashes without touching Group Policy (for example, Network security: Do not store LAN Manager hash value…) or registry settings. A 14-character policy is still within the LM-hash range, while 8 or 12 characters also allow LM hashes to be generated. Requiring 15 characters or more meets the audit goal and preserves compatibility.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why does Windows create LM hashes only for passwords 14 characters or fewer?
Open an interactive chat with Bash
What is the difference between an LM hash and an NT hash?
Open an interactive chat with Bash
What could happen if LM hashes are not eliminated from a server?