lanman password question
tridge at samba.anu.edu.au
Tue Mar 10 04:00:06 GMT 1998
> I've got a quick question about LanManager passwords. Probably one of you
> knows this and could tell me a lot faster than it will take me to confirm
> it. Can a LanManager password consist of all printable ASCII characters
> from 32 (space) to 126 (~), with the exception of the fact that it
> uppercases all alphabetic characters, or does it prevent you from using
> some of the punctuation characters.
The protocol itself supports a wide range of characters, but just try
and see which ones can be typed into the "change password"
dialog. The problem is a GUI one, not a protocol problem (apart from
the silly uppercasing).
> I'm trying to determine the actual size of the LanMan keyspace. Right now
> I'm assuming that you can use 126 - 32 - 26 + 1 (for the null byte that
> means "blank") = 69 chars. Since the LanMan password can be 14 chars
> long, this gives us 69^14 possible passwords. Is this the size, or is it
> even smaller?
much smaller. You'll find the dialog only accepts a small range of
Also note that for decryption purposes the power isn't 14, it is
7. The reason is that the two halves of the password (each 7
characters) are encrypted separately and then just concatenated
together. Very silly!
It comes out somewhere like 35^7 if you take these two considerations
into account. That's why it is attackable with brute force (see the
L0pht code). With a bit of compression and smart encoding you could
probably fit a complete inverse map on a large disk.
More information about the samba-technical