How Many Bytes Is the Output of an LM Hash?
The LM hash (LAN Manager hash) is a legacy authentication mechanism that once dominated Windows network security. Despite its age, the LM hash remains a topic of interest for security researchers, forensic analysts, and IT professionals who need to understand legacy systems. A common question that arises is: “How many bytes is the output of an LM hash?” This article provides a comprehensive answer, delving into the structure of the LM hash, the cryptographic underpinnings that determine its length, and practical implications for security and forensic work.
Some disagree here. Fair enough.
Introduction
The LM hash was introduced in the early 1990s as part of Microsoft’s Windows NT and LAN Manager authentication protocols. While it was revolutionary at the time, its design flaws—most notably its 56‑bit key size and case‑insensitive handling of passwords—render it insecure by modern standards. Even so, many legacy systems still rely on LM hashes, and understanding their output format is essential for:
- Migrating to stronger authentication mechanisms (e.g., NTLMv2, Kerberos).
- Conducting forensic investigations where LM hashes may be extracted from memory or disk.
- Implementing password cracking tools that target LM hashes.
Before we answer the core question, let’s walk through how an LM hash is generated and why its output is a fixed size Surprisingly effective..
The LM Hash Algorithm in a Nutshell
-
Password Normalization
- The original password is converted to uppercase.
- The password is padded or truncated to 14 ASCII characters.
-
Splitting into Two 7‑Byte Keys
- The 14‑byte string is divided into two 7‑byte halves.
-
DES Key Derivation
- Each 7‑byte half is expanded into an 8‑byte DES key by inserting parity bits (the least significant bit of each byte is set to ensure odd parity).
- The result is two 8‑byte DES keys.
-
Encryption of a Fixed String
- The string “KGS!@#$%” (8 bytes) is encrypted separately with each DES key.
- The two 8‑byte DES ciphertexts are concatenated.
-
Final Output
- The concatenated 16‑byte value is the LM hash, typically represented as a 32‑character hexadecimal string (each byte = 2 hex digits).
Why the Output Is Exactly 16 Bytes
The LM hash’s output length is dictated by the steps above:
- Two DES encryptions: Each DES operation produces an 8‑byte ciphertext.
- Fixed plaintext: The same 8‑byte string is encrypted twice, ensuring consistency.
- No padding: DES operates on 8‑byte blocks, and the plaintext length matches the block size, so no additional padding is added.
Because the process always yields two 8‑byte blocks, the total size is 16 bytes. This size is immutable regardless of the original password’s length (once normalized to 14 bytes) or any other input variations Worth keeping that in mind..
Detailed Breakdown
| Step | Operation | Output Size |
|---|---|---|
| 1 | Password normalization (uppercase, 14 bytes) | 14 bytes |
| 2 | Split into two 7‑byte halves | 7 bytes × 2 |
| 3 | DES key derivation (parity bits added) | 8 bytes × 2 |
| 4 | DES encryption of “KGS!@#$%” | 8 bytes × 2 |
| 5 | Concatenate ciphertexts | 16 bytes |
Example
| Password | Normalized | Split | DES Key 1 (hex) | DES Key 2 (hex) | Ciphertext 1 (hex) | Ciphertext 2 (hex) | LM Hash (hex) |
|---|---|---|---|---|---|---|---|
Password123 |
PASSWORD123 |
PASSWORD / 123 |
F3C8E5D0 |
C2A0B4E3 |
85B8E3A6 |
D4F3B1C9 |
85B8E3A6D4F3B1C9 |
Note: The example uses illustrative hex values; actual values will differ.
Common Misconceptions
| Misconception | Reality |
|---|---|
| The LM hash is 32 bytes | It is 16 bytes (32 hex characters). That said, |
| The hash length can vary | No—every LM hash is exactly 16 bytes due to DES block size. |
| LM hash uses SHA-1 or MD5 | It uses DES encryption on a fixed string. |
| Case sensitivity matters | The algorithm converts all letters to uppercase, so “Password” and “password” produce the same hash. |
Practical Implications
For Security Auditors
- Immediate Weakness: A 16‑byte hash derived from a weak algorithm is trivially crackable with modern GPUs.
- Password Policy: Enforce removal of LM hash support and enable NTLMv2 or Kerberos.
For Forensic Analysts
- Hash Extraction: When retrieving LM hashes from memory dumps or SAM files, the analyst knows to expect 16‑byte values.
- Cross‑Reference: Comparing a 16‑byte LM hash with an NTLM hash (which is 16 bytes for the hash and 16 bytes for the salt) helps identify duplicate passwords across systems.
For Developers
- Legacy Integration: If you must interface with an older system that still uses LM hashes, you can generate them in code knowing the fixed 16‑byte size.
- Testing: Unit tests can assert that the LM hash function always returns 16 bytes, ensuring consistency.
FAQ
| Question | Answer |
|---|---|
| **How many bits is an LM hash?In real terms, | |
| **Why does the LM hash use a fixed plaintext “KGS! | |
| **What is the relationship between LM and NTLM hashes?Worth adding: ** | No. In practice, |
| **Can I use LM hashes in modern applications? | |
| **Is the LM hash reversible? | |
| **Can an LM hash be longer or shorter?The algorithm’s design guarantees a fixed 16‑byte output. ** | Both are 16 bytes, but NTLM uses a 128‑bit MD4 hash of the Unicode password, whereas LM uses DES on a fixed string. @#$%”?Because of that, ** |
Most guides skip this. Don't That's the part that actually makes a difference. Which is the point..
Conclusion
The LM hash, despite its obsolescence, remains a fascinating study in early Windows authentication design. That said, understanding this length is crucial for security professionals, forensic investigators, and developers who interact with legacy systems. Its output is a fixed 16‑byte value—a direct consequence of using two DES encryptions on a constant 8‑byte string. While the LM hash’s brevity (128 bits) and simplicity make it easy to compute, they also make it highly vulnerable, underscoring the importance of migrating to reliable, modern authentication protocols.
Mitigation and Migration Strategies
Transitioning Away from LM Hashes
Organizations still encountering LM hashes in their environment should prioritize the following steps:
-
Disable LM Hash Generation – Windows Vista and later versions disable LM hash storage by default. For legacy systems, registry modifications (setting
NoLMHashto1underHKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets) can disable their creation. -
Implement Stronger Protocols – Migrate to NTLMv2 or, preferably, Kerberos-based authentication. NTLMv2 incorporates client-side challenge-response mechanisms and salted hashes, providing significantly better protection against replay and brute-force attacks.
-
Enforce Complex Password Policies – While not a substitute for algorithm upgrades, requiring longer, more complex passwords reduces the effectiveness of cracking tools, even against legacy hashes Less friction, more output..
-
Regular Audits – Conduct periodic assessments of authentication logs and password hashes to identify systems still relying on LM hashes.
Tools for Detection and Removal
Several open-source and commercial tools can help identify LM hash usage:
- CrackMapExec – Tests for LM hash vulnerabilities across network assets.
- Mimikatz – Extracts and analyzes stored hashes, including LM variants.
- Active Directory Auditing Tools – Identify user accounts with LM hashes still enabled.
Historical Context and Legacy Systems
Understanding why LM hashes persisted for so long provides valuable insight into the evolution of Windows authentication. Introduced in the early 1990s with LAN Manager, the algorithm reflected the computational constraints and security understanding of that era. DES was considered adequate for the time, and the 128-bit key space—though weak by modern standards—represented a reasonable compromise between security and performance on early networking hardware Turns out it matters..
Many organizations maintained backward compatibility with LM hashes for decades to support legacy applications and older workstations. This inertia, combined with the complexity of large-scale authentication migrations, meant that LM hashes remained in production environments well into the 2000s. Even today, certain embedded systems or specialized hardware may still rely on LM-based authentication, making awareness of the algorithm relevant for maintenance and security professionals And it works..
Final Thoughts
The LM hash stands as a textbook example of cryptographic designs that were once considered secure but have since become obsolete. Also, its fixed 16-byte output reflects both the algorithmic choices of its era and the limitations of early computing. For security professionals, recognizing the characteristics of LM hashes—including their predictable length and vulnerability to modern cracking techniques—remains essential for conducting thorough assessments and guiding organizations toward safer authentication practices.
While the LM hash will continue to fade from active use as legacy systems are retired, its study offers enduring lessons about the importance of algorithm agility, proactive migration planning, and the continued evolution of authentication standards to meet emerging threats. By understanding the past, security teams can better prepare for the challenges of tomorrow's authentication landscape.
