lanman password question

Andrew Tridgell tridge at
Tue Mar 10 04:00:06 GMT 1998


> I've got a quick question about LanManager passwords.  Probably one of you
> knows this and could tell me a lot faster than it will take me to confirm
> it.  Can a LanManager password consist of all printable ASCII characters
> from 32 (space) to 126 (~), with the exception of the fact that it
> uppercases all alphabetic characters, or does it prevent you from using
> some of the punctuation characters.

The protocol itself supports a wide range of characters, but just try
and see which ones can be typed into the "change password"
dialog. The problem is a GUI one, not a protocol problem (apart from
the silly uppercasing).

> I'm trying to determine the actual size of the LanMan keyspace.  Right now
> I'm assuming that you can use 126 - 32 - 26 + 1 (for the null byte that
> means "blank") = 69 chars.  Since the LanMan password can be 14 chars
> long, this gives us 69^14 possible passwords.  Is this the size, or is it
> even smaller? 

much smaller. You'll find the dialog only accepts a small range of

Also note that for decryption purposes the power isn't 14, it is
7. The reason is that the two halves of the password (each 7
characters) are encrypted separately and then just concatenated
together. Very silly!

It comes out somewhere like 35^7 if you take these two considerations
into account. That's why it is attackable with brute force (see the
L0pht code). With a bit of compression and smart encoding you could
probably fit a complete inverse map on a large disk.

Cheers, Andrew

More information about the samba-technical mailing list