 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Server Forum / Windows Server 2003 / Security / July 2007NT4 password limited to 14 characters ?
Hi, sorry for this "noob" question but is there a password limit on NT4 SP6a ? Indeed, I am not able to define a password that has more than 14 characters length. SOmetimes I am reading that the limit is 128 characters and sometimes it is 14 characters. Please someone could help me ? :) Thank you  SignaturePascal Dare to experiment? I think Roger mentioned the other day that it can be up to 254 ASCII characters. SignatureSvyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- * http://sl.mvps.org * http://msmvps.com/blogs/sp * > Hi, > [quoted text clipped - 9 lines] > > Thank you > Dare to experiment? > I think Roger mentioned the other day that it can be up to 254 ASCII [quoted text clipped - 21 lines] >> >> -- Pascal I have tried to define a password that has more than 14 characters through the GUI(usrmgr) (and with the command line "net user username password_15char") but with no success :/ I have also read from Joe Richards that the maximum length was 128 characters but I didn't find anything that confirms this. It seems that first the maximum length was to 14 characters (some webpages in microsoft website said that) but then they have updated the maximum length (but I didn't find any Microsoft source that confirms that). Thank you SignaturePascal Hi Slav, That is the size W2k and later if not in unicode, but it seems the UI is now all unicode, hence 127. NT 4 was much more limited, 14 sounds around right. Roger > Dare to experiment? > I think Roger mentioned the other day that it can be up to 254 ASCII [quoted text clipped - 14 lines] >> >> Thank you Hello Pascal, The answer lies in how Windows hashes and stores the passwords. There are three mechanisms: LM (MD4), NTLM hash (MD4), and NTLMv2 (MD5). LM has a maximum length of 14 characters. It breaks the password up into two 7 character strings, makes both strings uppercase, and then hashes the strings. Because of the length and because of the case insensitivity, LM is very easy to break with brute force tools. NTLM also has a maximum length of 14 characters. It hashes the password as one 14 character chunk and does not change the characters to uppercase. It is a little better than LM. NTLMv2 has a maximum length of 127 Unicode characters or 254 Ascii characters. Most systems use Unicode to support international character sets, and thus 127 is the number you will see most often. Windows NT4 will use either NTLM or NTLMv2. If at all possible in your environment, set it to only use NTLMv2 (see 147706). Using "Net User" may still default to 14 characters because the utility may not recognize the change. Usrmgr should be fine, however. Hope that helps, J Wolfgang Goerlich Microsoft Article 147706, How to disable LM authentication on Windows NT http://support.microsoft.com/kb/147706 > Hi, > [quoted text clipped - 13 lines] > -- > Pascal Hello, thank you for your answer. I have already tried to change the LMCompatibiltyLevel to 4 (refuse LM) and 5 (refuse LM and NTLM) but with no success. There is a GUI limitation on USRMGR that will not show me more than 14 characters. So I tried to change the password through net users, dameware nt utilities or through a 2k client member of the domain but with no success.(System error 2245) It's quite annoying for us because we have a password synchronization process from AD to NT and because of this limitation users can't define a long password in Active Directory too. Thank you for your help > Hello Pascal, > [quoted text clipped - 26 lines] > NT > http://support.microsoft.com/kb/147706 SignaturePascal Not sure, maybe this can help: Active Directory Extension for Windows NT 4.0 http://www.microsoft.com/downloads/details.aspx?FamilyID=7c219dcc-ec00-4c98-ba61 -fd98467952a8&DisplayLang=en John > Hello, > [quoted text clipped - 45 lines] >> NT >> http://support.microsoft.com/kb/147706 Hi John, I am not sure this will help as my PDC is a PDC :D And then not a member of any Active Directory domain. Thank you > Not sure, maybe this can help: > > Active Directory Extension for Windows NT 4.0 > http://www.microsoft.com/downloads/details.aspx?FamilyID=7c219dcc-ec00-4c98-ba61 -fd98467952a8&DisplayLang=en > > John SignaturePascal Regarding LMCompatibiltyLevel, have you set it on the domain controller and on the workstation? Interesting that Usrmgr will not do more than 14 characters. I had thought I used it in the past to get around this issue, I must have been mistaken. Using the Windows 2000 client to set the password will likely be your workaround, then. The system error points to the password not meeting the password policy requirements. Providing both the PDC and the client computer are setup for NTLMv2, try to raise the minimum password length to something greater than 14 characters. This might tell us something. Regards, J Wolfgang Goerlich Password and Account Policies http://www.microsoft.com/technet/archive/winntas/deploy/confeat/05wntpcb.mspx?mf r=true > Hello, > [quoted text clipped - 50 lines] > > - Show quoted text - | Hello, | [quoted text clipped - 8 lines] | utilities or through a 2k client member of the domain but with no | success.(System error 2245) Error lookup: 2245 { The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements. } Try a more complex password like this: aBcD1234.$#~9012@!-+789 | It's quite annoying for us because we have a password synchronization | process from AD to NT and because of this limitation users can't define [quoted text clipped - 32 lines] | > NT | > http://support.microsoft.com/kb/147706 OT but I must say: I like your style, George. > Error lookup: 2245 > { [quoted text clipped - 4 lines] > Try a more complex password like this: > aBcD1234.$#~9012@!-+789 Here is what I did, just to be sure that it is the right method to disable LM hash : On my PDC (NT4 Sp6a), I have created a DWORD value (LMCompatibilityLevel) on HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA with Value = 5 (Refuse LM and NTLM) and NtlmMinServerSec and NtlmMinClientSec (DWORD) on MSV1_0 with 0 as value. Then I have restarted the PDC. When I try to change the password from usrmgr, damewarent utilities or through a 2000 workstation, I always have an error saying that the password does not meet the password policy requirements but it's false :D If I set "12345678901234" as password it works. If I set "123456789012345" I have the message quoted above. (Same issue with a real complex password like IL0veLMH@shP@ssw0rd! ) This is quite strange because I have never really seen some people complaining about this limitation. Thank you > OT but I must say: I like your style, George. > [quoted text clipped - 6 lines] >> Try a more complex password like this: >> aBcD1234.$#~9012@!-+789 SignaturePascal Here's some facts about lmcompatibilitylevel: http://www.microsoft.com/technet/technetmag/issues/2006/08/SecurityWatch/default.aspx SignatureSvyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- * http://sl.mvps.org * http://msmvps.com/blogs/sp * > Here is what I did, just to be sure that it is the right method to disable > LM hash : [quoted text clipped - 33 lines] >>> Try a more complex password like this: >>> aBcD1234.$#~9012@!-+789 Thank you Svyatoslav . I have read the article but nothing permits me to conclude that we cannot setup a password that has more than 14 characters :-/ But it is written that NT4 Sp6 supports NTLMv2. So ... :D P.S: I have made a new test where I forced my 2k client (SP4) to use only NTLMv2 method (lmcompatibilitylevel to 3) while the LMcompatibility level was at 5 on my PDC NT4 Sp6. But the problem remains when I try to change the password through my win2k client. Thanks guys > Here's some facts about lmcompatibilitylevel: > [quoted text clipped - 45 lines] >> >> -- Pascal SignaturePascal We share the inconclusion. NT allows long passwords - but those aren't always effectively used. Sometimes, depending on the setting, only part of the password is used. I think this is the truth. Now do experiment please. SignatureSvyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- * http://sl.mvps.org * http://msmvps.com/blogs/sp * > Thank you Svyatoslav . > [quoted text clipped - 63 lines] >>> >>> -- Pascal Hi, sorry for my poor english but what does "Do experiment" mean please ? :D It means "make some tests" ? Because it is what I already did with no success :D It doesn't seem that NT allows long passwords if we try to set up them via usrmgr,Dameware or net user command Thanks > We share the inconclusion. > NT allows long passwords - but those aren't always effectively used. [quoted text clipped - 77 lines] >> >> -- Pascal SignaturePascal What I'd do is setting up extra long password on Windows 2003 domain controller and authenticating using NT - resulting in local cached credentials; then I'd try to log on with any other password :) Alternatively, I'd use Windows 2003 tools to manage NT system. This is just to avoid the UI limitations that some tools may have. SignatureSvyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- * http://sl.mvps.org * http://msmvps.com/blogs/sp * > Hi, > [quoted text clipped - 90 lines] >>> >>> -- Pascal Hi, Yes I have already tried that but with no success (bouhoouhooou :D). I have also tried to change the password through a 2000 client member of the domain (so without the UI limitation) but the problem remains. It's really an NT4 limitation but what is strange is that we don't find anywhere on Microsoft website a sentence saying "You can't set up a password of more than 14 characters". Thanks for your help ! > What I'd do is setting up extra long password on Windows 2003 domain > controller and authenticating using NT - resulting in local cached [quoted text clipped - 20 lines] >> >> Thanks >>>> -- Pascal >> >> -- Pascal SignaturePascal And you won't be able to. Microsoft is long past caring about NT and so should you. It is okay to run it only in isolated environments e.g. those not requiring password complexity. Think of cash machines. SignatureSvyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- * http://sl.mvps.org * http://msmvps.com/blogs/sp * > Hi, > [quoted text clipped - 36 lines] >>> >>> -- Pascal There are two hashes: * LM * NT There are four authentication methods: * LM * NTLM * NTLMv2 * Kerberos Here's how they relate: * LM authentication uses the LM hash * NTLM, NTLMv2, and Kerberos all use the NT hash (It's incorrect to say "NTLM" or "NTLMv2" hash.) LM hashes (and it's really a stretch to call them "hashes") are generated only if both of these are true: * You haven't disabled LM hash generation * Your password length is 14 characters or less In NT 4.0, the User Manager wouldn't permit you to enter a password longer than 14 characters. Windows 2000 and higher permit entering a password up to 127 characters; the actual maximum length is 255 characters. If, however, you meet a certain, ah, esoteric set of requirements, your minimum length must be at least 18,770 characters. :) Actually, that's a UI bug described in http://support.microsoft.com/kb/q276304/. Still, it's funny. Steve Riley steve.riley@microsoft.com http://blogs.technet.com/steriley > Hello Pascal, > [quoted text clipped - 44 lines] >> -- >> Pascal Fair enough. That still begs the question: how does Pascal, the OP, enable passwords of more than 14 characters on a Windows NT4 domain? J Wolfgang Goerlich On Jul 21, 11:10 pm, "Steve Riley [MSFT]" <steve.ri...@microsoft.com> wrote: > There are two hashes: > * LM [quoted text clipped - 28 lines] > Steve Riley > steve.ri...@microsoft.comhttp://blogs.technet.com/steriley The practical matter is, you don't. And I gotta say this--that NT 4 domain should be upgraded to Windows Server 2003 as soon as possible. NT 4 support ended a very long time ago. Steve Riley steve.riley@microsoft.com http://blogs.technet.com/steriley > Fair enough. That still begs the question: how does Pascal, the OP, > enable passwords of more than 14 characters on a Windows NT4 domain? [quoted text clipped - 38 lines] >> Steve Riley >> steve.ri...@microsoft.comhttp://blogs.technet.com/steriley Hello Steve, thanks a lot for your answer. Actually it is not possible for this company to upgrade the NT4 domain to AD 2003. It is the reason we are using MIIS for password synchronization between AD (2003) to NT. If I have well understood, it is technically possible to bypass this limitation (of password length) but it is never used ? (sorry for my poor english :D) The "big" problem of this situation is that we have to communicate to users that they have to set up a password with a minimal password length of 9 characters AND a maximum password length of 14 :-( I have already read that it is a GUI limitation of usrmgr but I have also tried to set up the password through the net user command and through a windows 2000 SP4 member of the NT4 domain but with no success. Even if in the practical matter we don't set up such passwords, could you let me know how we can set up them please ? :) Thanks a lot > The practical matter is, you don't. > [quoted text clipped - 46 lines] >>> Steve Riley >>> steve.ri...@microsoft.comhttp://blogs.technet.com/steriley SignaturePascal Another thing... I have configured the LMCompatibilityLevel to 5 on my NT4 PDC. Then I have changed my password through usrmgr to a classic password just for testing that the LM hash is not yet used. I have dumped my SAM and I can see that LM hash is still generated for that user ! I have missed something again ? :D Thank you > Hello Steve, > [quoted text clipped - 73 lines] >>>> Steve Riley >>>> steve.ri...@microsoft.comhttp://blogs.technet.com/steriley SignaturePascal Me again, please tell me if I have well undestood :D It is not possible to disable the LM Hash on an NT4 computer (the NoLMHash key is supported only since windows 2000 SP2). The LmCompatibilityLevel is used only to modify the authentification method not the hashes method, right ? Now, if I am right with what I said above, why is it possible to define an LMCompatibilityLevel to 5 (means only NTLMv2 authentication method) if the NT4 does not support it ? (because when I dumped the sam of my PDC, I have only LM hash stored). Even if I think I will finally bypass the problem by limiting the password synchronization through MIIS only for specific users (that will limit only those users with a 14 characters password length), I really would like to understand how does it work on NT4 :) Thank you > Another thing... > [quoted text clipped - 88 lines] >>>>> Steve Riley >>>>> steve.ri...@microsoft.comhttp://blogs.technet.com/steriley SignaturePascal |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2010 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.