Discussion:
NT4 password limited to 14 characters ?
(too old to reply)
Pascal
2007-07-16 09:24:23 UTC
Permalink
Hi,

sorry for this "noob" question but is there a password limit on NT4
SP6a ?

Indeed, I am not able to define a password that has more than 14
characters length.

SOmetimes I am reading that the limit is 128 characters and sometimes
it is 14 characters.

Please someone could help me ? :)

Thank you
--
Pascal
S. Pidgorny <MVP>
2007-07-16 10:00:21 UTC
Permalink
Dare to experiment?
I think Roger mentioned the other day that it can be up to 254 ASCII
characters.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Hi,
sorry for this "noob" question but is there a password limit on NT4 SP6a ?
Indeed, I am not able to define a password that has more than 14
characters length.
SOmetimes I am reading that the limit is 128 characters and sometimes it
is 14 characters.
Please someone could help me ? :)
Thank you
--
Pascal
Pascal
2007-07-16 10:14:53 UTC
Permalink
Post by S. Pidgorny <MVP>
Dare to experiment?
I think Roger mentioned the other day that it can be up to 254 ASCII
characters.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Hi,
sorry for this "noob" question but is there a password limit on NT4 SP6a ?
Indeed, I am not able to define a password that has more than 14 characters
length.
SOmetimes I am reading that the limit is 128 characters and sometimes it is
14 characters.
Please someone could help me ? :)
Thank you
-- Pascal
I have tried to define a password that has more than 14 characters
through the GUI(usrmgr) (and with the command line "net user username
password_15char") but with no success :/

I have also read from Joe Richards that the maximum length was 128
characters but I didn't find anything that confirms this.

It seems that first the maximum length was to 14 characters (some
webpages in microsoft website said that) but then they have updated the
maximum length (but I didn't find any Microsoft source that confirms
that).

Thank you
--
Pascal
Roger Abell [MVP]
2007-07-17 05:19:20 UTC
Permalink
Hi Slav,

That is the size W2k and later if not in unicode, but it
seems the UI is now all unicode, hence 127.

NT 4 was much more limited, 14 sounds around right.

Roger
Post by S. Pidgorny <MVP>
Dare to experiment?
I think Roger mentioned the other day that it can be up to 254 ASCII
characters.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Hi,
sorry for this "noob" question but is there a password limit on NT4 SP6a ?
Indeed, I am not able to define a password that has more than 14
characters length.
SOmetimes I am reading that the limit is 128 characters and sometimes it
is 14 characters.
Please someone could help me ? :)
Thank you
--
Pascal
j***@gmail.com
2007-07-16 11:37:20 UTC
Permalink
Hello Pascal,

The answer lies in how Windows hashes and stores the passwords. There
are three mechanisms: LM (MD4), NTLM hash (MD4), and NTLMv2 (MD5).

LM has a maximum length of 14 characters. It breaks the password up
into two 7 character strings, makes both strings uppercase, and then
hashes the strings. Because of the length and because of the case
insensitivity, LM is very easy to break with brute force tools.

NTLM also has a maximum length of 14 characters. It hashes the
password as one 14 character chunk and does not change the characters
to uppercase. It is a little better than LM.

NTLMv2 has a maximum length of 127 Unicode characters or 254 Ascii
characters. Most systems use Unicode to support international
character sets, and thus 127 is the number you will see most often.

Windows NT4 will use either NTLM or NTLMv2. If at all possible in your
environment, set it to only use NTLMv2 (see 147706). Using "Net User"
may still default to 14 characters because the utility may not
recognize the change. Usrmgr should be fine, however.

Hope that helps,

J Wolfgang Goerlich


Microsoft Article 147706, How to disable LM authentication on Windows
NT
http://support.microsoft.com/kb/147706
Post by Pascal
Hi,
sorry for this "noob" question but is there a password limit on NT4
SP6a ?
Indeed, I am not able to define a password that has more than 14
characters length.
SOmetimes I am reading that the limit is 128 characters and sometimes
it is 14 characters.
Please someone could help me ? :)
Thank you
--
Pascal
Pascal
2007-07-16 12:42:32 UTC
Permalink
Hello,

thank you for your answer.

I have already tried to change the LMCompatibiltyLevel to 4 (refuse LM)
and 5 (refuse LM and NTLM) but with no success.

There is a GUI limitation on USRMGR that will not show me more than 14
characters.
So I tried to change the password through net users, dameware nt
utilities or through a 2k client member of the domain but with no
success.(System error 2245)

It's quite annoying for us because we have a password synchronization
process from AD to NT and because of this limitation users can't define
a long password in Active Directory too.

Thank you for your help
Post by j***@gmail.com
Hello Pascal,
The answer lies in how Windows hashes and stores the passwords. There
are three mechanisms: LM (MD4), NTLM hash (MD4), and NTLMv2 (MD5).
LM has a maximum length of 14 characters. It breaks the password up
into two 7 character strings, makes both strings uppercase, and then
hashes the strings. Because of the length and because of the case
insensitivity, LM is very easy to break with brute force tools.
NTLM also has a maximum length of 14 characters. It hashes the
password as one 14 character chunk and does not change the characters
to uppercase. It is a little better than LM.
NTLMv2 has a maximum length of 127 Unicode characters or 254 Ascii
characters. Most systems use Unicode to support international
character sets, and thus 127 is the number you will see most often.
Windows NT4 will use either NTLM or NTLMv2. If at all possible in your
environment, set it to only use NTLMv2 (see 147706). Using "Net User"
may still default to 14 characters because the utility may not
recognize the change. Usrmgr should be fine, however.
Hope that helps,
J Wolfgang Goerlich
Microsoft Article 147706, How to disable LM authentication on Windows
NT
http://support.microsoft.com/kb/147706
--
Pascal
John John
2007-07-16 12:56:19 UTC
Permalink
Not sure, maybe this can help:

Active Directory Extension for Windows NT 4.0
http://www.microsoft.com/downloads/details.aspx?FamilyID=7c219dcc-ec00-4c98-ba61-fd98467952a8&DisplayLang=en

John
Post by Pascal
Hello,
thank you for your answer.
I have already tried to change the LMCompatibiltyLevel to 4 (refuse LM)
and 5 (refuse LM and NTLM) but with no success.
There is a GUI limitation on USRMGR that will not show me more than 14
characters.
So I tried to change the password through net users, dameware nt
utilities or through a 2k client member of the domain but with no
success.(System error 2245)
It's quite annoying for us because we have a password synchronization
process from AD to NT and because of this limitation users can't define
a long password in Active Directory too.
Thank you for your help
Post by j***@gmail.com
Hello Pascal,
The answer lies in how Windows hashes and stores the passwords. There
are three mechanisms: LM (MD4), NTLM hash (MD4), and NTLMv2 (MD5).
LM has a maximum length of 14 characters. It breaks the password up
into two 7 character strings, makes both strings uppercase, and then
hashes the strings. Because of the length and because of the case
insensitivity, LM is very easy to break with brute force tools.
NTLM also has a maximum length of 14 characters. It hashes the
password as one 14 character chunk and does not change the characters
to uppercase. It is a little better than LM.
NTLMv2 has a maximum length of 127 Unicode characters or 254 Ascii
characters. Most systems use Unicode to support international
character sets, and thus 127 is the number you will see most often.
Windows NT4 will use either NTLM or NTLMv2. If at all possible in your
environment, set it to only use NTLMv2 (see 147706). Using "Net User"
may still default to 14 characters because the utility may not
recognize the change. Usrmgr should be fine, however.
Hope that helps,
J Wolfgang Goerlich
Microsoft Article 147706, How to disable LM authentication on Windows
NT
http://support.microsoft.com/kb/147706
Pascal
2007-07-16 13:56:58 UTC
Permalink
Hi John,

I am not sure this will help as my PDC is a PDC :D And then not a
member of any Active Directory domain.

Thank you
Post by John John
Active Directory Extension for Windows NT 4.0
http://www.microsoft.com/downloads/details.aspx?FamilyID=7c219dcc-ec00-4c98-ba61-fd98467952a8&DisplayLang=en
John
--
Pascal
j***@gmail.com
2007-07-16 17:24:47 UTC
Permalink
Regarding LMCompatibiltyLevel, have you set it on the domain
controller and on the workstation?

Interesting that Usrmgr will not do more than 14 characters. I had
thought I used it in the past to get around this issue, I must have
been mistaken.

Using the Windows 2000 client to set the password will likely be your
workaround, then. The system error points to the password not meeting
the password policy requirements. Providing both the PDC and the
client computer are setup for NTLMv2, try to raise the minimum
password length to something greater than 14 characters. This might
tell us something.

Regards,

J Wolfgang Goerlich


Password and Account Policies
http://www.microsoft.com/technet/archive/winntas/deploy/confeat/05wntpcb.mspx?mfr=true
Post by Pascal
Hello,
thank you for your answer.
I have already tried to change the LMCompatibiltyLevel to 4 (refuse LM)
and 5 (refuse LM and NTLM) but with no success.
There is a GUI limitation on USRMGR that will not show me more than 14
characters.
So I tried to change the password through net users, dameware nt
utilities or through a 2k client member of the domain but with no
success.(System error 2245)
It's quite annoying for us because we have a password synchronization
process from AD to NT and because of this limitation users can't define
a long password in Active Directory too.
Thank you for your help
Post by j***@gmail.com
Hello Pascal,
The answer lies in how Windows hashes and stores the passwords. There
are three mechanisms: LM (MD4), NTLM hash (MD4), and NTLMv2 (MD5).
LM has a maximum length of 14 characters. It breaks the password up
into two 7 character strings, makes both strings uppercase, and then
hashes the strings. Because of the length and because of the case
insensitivity, LM is very easy to break with brute force tools.
NTLM also has a maximum length of 14 characters. It hashes the
password as one 14 character chunk and does not change the characters
to uppercase. It is a little better than LM.
NTLMv2 has a maximum length of 127 Unicode characters or 254 Ascii
characters. Most systems use Unicode to support international
character sets, and thus 127 is the number you will see most often.
Windows NT4 will use either NTLM or NTLMv2. If at all possible in your
environment, set it to only use NTLMv2 (see 147706). Using "Net User"
may still default to 14 characters because the utility may not
recognize the change. Usrmgr should be fine, however.
Hope that helps,
J Wolfgang Goerlich
Microsoft Article 147706, How to disable LM authentication on Windows
NT
http://support.microsoft.com/kb/147706
--
Pascal- Hide quoted text -
- Show quoted text -
George Valkov
2007-07-16 18:57:24 UTC
Permalink
"Pascal" wrote:
| Hello,
|
| thank you for your answer.
|
| I have already tried to change the LMCompatibiltyLevel to 4 (refuse LM)
| and 5 (refuse LM and NTLM) but with no success.
|
| There is a GUI limitation on USRMGR that will not show me more than 14
| characters.
| So I tried to change the password through net users, dameware nt
| utilities or through a 2k client member of the domain but with no
| success.(System error 2245)

Error lookup: 2245
{
The password does not meet the password policy requirements. Check the
minimum password length, password complexity and password history
requirements.
}
Try a more complex password like this:
aBcD1234.$#~9012@!-+789

| It's quite annoying for us because we have a password synchronization
| process from AD to NT and because of this limitation users can't define
| a long password in Active Directory too.
|
| Thank you for your help
|
|
| > Hello Pascal,
| >
| > The answer lies in how Windows hashes and stores the passwords. There
| > are three mechanisms: LM (MD4), NTLM hash (MD4), and NTLMv2 (MD5).
| >
| > LM has a maximum length of 14 characters. It breaks the password up
| > into two 7 character strings, makes both strings uppercase, and then
| > hashes the strings. Because of the length and because of the case
| > insensitivity, LM is very easy to break with brute force tools.
| >
| > NTLM also has a maximum length of 14 characters. It hashes the
| > password as one 14 character chunk and does not change the characters
| > to uppercase. It is a little better than LM.
| >
| > NTLMv2 has a maximum length of 127 Unicode characters or 254 Ascii
| > characters. Most systems use Unicode to support international
| > character sets, and thus 127 is the number you will see most often.
| >
| > Windows NT4 will use either NTLM or NTLMv2. If at all possible in your
| > environment, set it to only use NTLMv2 (see 147706). Using "Net User"
| > may still default to 14 characters because the utility may not
| > recognize the change. Usrmgr should be fine, however.
| >
| > Hope that helps,
| >
| > J Wolfgang Goerlich
| >
| >
| > Microsoft Article 147706, How to disable LM authentication on Windows
| > NT
| > http://support.microsoft.com/kb/147706
| >
| > On Jul 16, 5:24 am, Pascal <***@nospam.hotmail.com> wrote:
|
| --
| Pascal
|
|
j***@gmail.com
2007-07-16 20:29:38 UTC
Permalink
OT but I must say: I like your style, George.
Post by George Valkov
Error lookup: 2245
{
The password does not meet the password policy requirements. Check the
minimum password length, password complexity and password history
requirements.}
Pascal
2007-07-17 09:15:10 UTC
Permalink
Here is what I did, just to be sure that it is the right method to
disable LM hash :
On my PDC (NT4 Sp6a),

I have created a DWORD value (LMCompatibilityLevel) on
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA
with Value = 5 (Refuse LM and NTLM)

and

NtlmMinServerSec and NtlmMinClientSec (DWORD) on MSV1_0 with 0 as
value.

Then I have restarted the PDC.

When I try to change the password from usrmgr, damewarent utilities or
through a 2000 workstation, I always have an error saying that the
password does not meet the password policy requirements but it's false
:D

If I set "12345678901234" as password it works.
If I set "123456789012345" I have the message quoted above. (Same issue
with a real complex password like ***@shP@ssw0rd! )

This is quite strange because I have never really seen some people
complaining about this limitation.

Thank you
Post by j***@gmail.com
OT but I must say: I like your style, George.
Post by George Valkov
Error lookup: 2245
{
The password does not meet the password policy requirements. Check the
minimum password length, password complexity and password history
requirements.}
--
Pascal
S. Pidgorny <MVP>
2007-07-18 09:44:06 UTC
Permalink
Here's some facts about lmcompatibilitylevel:

http://www.microsoft.com/technet/technetmag/issues/2006/08/SecurityWatch/default.aspx
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Here is what I did, just to be sure that it is the right method to disable
On my PDC (NT4 Sp6a),
I have created a DWORD value (LMCompatibilityLevel) on
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA
with Value = 5 (Refuse LM and NTLM)
and
NtlmMinServerSec and NtlmMinClientSec (DWORD) on MSV1_0 with 0 as value.
Then I have restarted the PDC.
When I try to change the password from usrmgr, damewarent utilities or
through a 2000 workstation, I always have an error saying that the
password does not meet the password policy requirements but it's false :D
If I set "12345678901234" as password it works.
If I set "123456789012345" I have the message quoted above. (Same issue
This is quite strange because I have never really seen some people
complaining about this limitation.
Thank you
Post by j***@gmail.com
OT but I must say: I like your style, George.
Post by George Valkov
Error lookup: 2245
{
The password does not meet the password policy requirements. Check the
minimum password length, password complexity and password history
requirements.}
--
Pascal
Pascal
2007-07-18 12:01:40 UTC
Permalink
Thank you Svyatoslav .

I have read the article but nothing permits me to conclude that we
cannot setup a password that has more than 14 characters :-/

But it is written that NT4 Sp6 supports NTLMv2.

So ... :D

P.S: I have made a new test where I forced my 2k client (SP4) to use
only NTLMv2 method (lmcompatibilitylevel to 3) while the
LMcompatibility level was at 5 on my PDC NT4 Sp6.
But the problem remains when I try to change the password through my
win2k client.

Thanks guys
Post by S. Pidgorny <MVP>
http://www.microsoft.com/technet/technetmag/issues/2006/08/SecurityWatch/default.aspx
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Here is what I did, just to be sure that it is the right method to disable
On my PDC (NT4 Sp6a),
I have created a DWORD value (LMCompatibilityLevel) on
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA
with Value = 5 (Refuse LM and NTLM)
and
NtlmMinServerSec and NtlmMinClientSec (DWORD) on MSV1_0 with 0 as value.
Then I have restarted the PDC.
When I try to change the password from usrmgr, damewarent utilities or
through a 2000 workstation, I always have an error saying that the password
does not meet the password policy requirements but it's false :D
If I set "12345678901234" as password it works.
If I set "123456789012345" I have the message quoted above. (Same issue
This is quite strange because I have never really seen some people
complaining about this limitation.
Thank you
Post by j***@gmail.com
OT but I must say: I like your style, George.
Post by George Valkov
Error lookup: 2245
{
The password does not meet the password policy requirements. Check the
minimum password length, password complexity and password history
requirements.}
-- Pascal
--
Pascal
S. Pidgorny <MVP>
2007-07-19 11:31:04 UTC
Permalink
We share the inconclusion.
NT allows long passwords - but those aren't always effectively used.
Sometimes, depending on the setting, only part of the password is used. I
think this is the truth.
Now do experiment please.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Pascal
Thank you Svyatoslav .
I have read the article but nothing permits me to conclude that we cannot
setup a password that has more than 14 characters :-/
But it is written that NT4 Sp6 supports NTLMv2.
So ... :D
P.S: I have made a new test where I forced my 2k client (SP4) to use only
NTLMv2 method (lmcompatibilitylevel to 3) while the LMcompatibility level
was at 5 on my PDC NT4 Sp6.
But the problem remains when I try to change the password through my win2k
client.
Thanks guys
Post by S. Pidgorny <MVP>
http://www.microsoft.com/technet/technetmag/issues/2006/08/SecurityWatch/default.aspx
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Pascal
Here is what I did, just to be sure that it is the right method to
On my PDC (NT4 Sp6a),
I have created a DWORD value (LMCompatibilityLevel) on
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA
with Value = 5 (Refuse LM and NTLM)
and
NtlmMinServerSec and NtlmMinClientSec (DWORD) on MSV1_0 with 0 as value.
Then I have restarted the PDC.
When I try to change the password from usrmgr, damewarent utilities or
through a 2000 workstation, I always have an error saying that the
password does not meet the password policy requirements but it's false :D
If I set "12345678901234" as password it works.
If I set "123456789012345" I have the message quoted above. (Same issue
This is quite strange because I have never really seen some people
complaining about this limitation.
Thank you
Post by j***@gmail.com
OT but I must say: I like your style, George.
Post by George Valkov
Error lookup: 2245
{
The password does not meet the password policy requirements. Check the
minimum password length, password complexity and password history
requirements.}
-- Pascal
--
Pascal
Pascal
2007-07-23 08:34:41 UTC
Permalink
Hi,

sorry for my poor english but what does "Do experiment" mean please ?
:D It means "make some tests" ?

Because it is what I already did with no success :D

It doesn't seem that NT allows long passwords if we try to set up them
via usrmgr,Dameware or net user command

Thanks
Post by S. Pidgorny <MVP>
We share the inconclusion.
NT allows long passwords - but those aren't always effectively used.
Sometimes, depending on the setting, only part of the password is used. I
think this is the truth.
Now do experiment please.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Pascal
Thank you Svyatoslav .
I have read the article but nothing permits me to conclude that we cannot
setup a password that has more than 14 characters :-/
But it is written that NT4 Sp6 supports NTLMv2.
So ... :D
P.S: I have made a new test where I forced my 2k client (SP4) to use only
NTLMv2 method (lmcompatibilitylevel to 3) while the LMcompatibility level
was at 5 on my PDC NT4 Sp6.
But the problem remains when I try to change the password through my win2k
client.
Thanks guys
Post by S. Pidgorny <MVP>
http://www.microsoft.com/technet/technetmag/issues/2006/08/SecurityWatch/default.aspx
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Pascal
Here is what I did, just to be sure that it is the right method to
On my PDC (NT4 Sp6a),
I have created a DWORD value (LMCompatibilityLevel) on
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA
with Value = 5 (Refuse LM and NTLM)
and
NtlmMinServerSec and NtlmMinClientSec (DWORD) on MSV1_0 with 0 as value.
Then I have restarted the PDC.
When I try to change the password from usrmgr, damewarent utilities or
through a 2000 workstation, I always have an error saying that the
password does not meet the password policy requirements but it's false :D
If I set "12345678901234" as password it works.
If I set "123456789012345" I have the message quoted above. (Same issue
This is quite strange because I have never really seen some people
complaining about this limitation.
Thank you
Post by j***@gmail.com
OT but I must say: I like your style, George.
Post by George Valkov
Error lookup: 2245
{
The password does not meet the password policy requirements. Check the
minimum password length, password complexity and password history
requirements.}
-- Pascal
-- Pascal
--
Pascal
S. Pidgorny <MVP>
2007-07-25 09:35:10 UTC
Permalink
What I'd do is setting up extra long password on Windows 2003 domain
controller and authenticating using NT - resulting in local cached
credentials; then I'd try to log on with any other password :)

Alternatively, I'd use Windows 2003 tools to manage NT system. This is just
to avoid the UI limitations that some tools may have.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Hi,
sorry for my poor english but what does "Do experiment" mean please ? :D
It means "make some tests" ?
Because it is what I already did with no success :D
It doesn't seem that NT allows long passwords if we try to set up them via
usrmgr,Dameware or net user command
Thanks
Post by S. Pidgorny <MVP>
We share the inconclusion.
NT allows long passwords - but those aren't always effectively used.
Sometimes, depending on the setting, only part of the password is used. I
think this is the truth.
Now do experiment please.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Pascal
Thank you Svyatoslav .
I have read the article but nothing permits me to conclude that we
cannot setup a password that has more than 14 characters :-/
But it is written that NT4 Sp6 supports NTLMv2.
So ... :D
P.S: I have made a new test where I forced my 2k client (SP4) to use
only NTLMv2 method (lmcompatibilitylevel to 3) while the LMcompatibility
level was at 5 on my PDC NT4 Sp6.
But the problem remains when I try to change the password through my
win2k client.
Thanks guys
Post by S. Pidgorny <MVP>
http://www.microsoft.com/technet/technetmag/issues/2006/08/SecurityWatch/default.aspx
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Pascal
Here is what I did, just to be sure that it is the right method to
On my PDC (NT4 Sp6a),
I have created a DWORD value (LMCompatibilityLevel) on
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA
with Value = 5 (Refuse LM and NTLM)
and
NtlmMinServerSec and NtlmMinClientSec (DWORD) on MSV1_0 with 0 as value.
Then I have restarted the PDC.
When I try to change the password from usrmgr, damewarent utilities or
through a 2000 workstation, I always have an error saying that the
password does not meet the password policy requirements but it's false :D
If I set "12345678901234" as password it works.
If I set "123456789012345" I have the message quoted above. (Same
This is quite strange because I have never really seen some people
complaining about this limitation.
Thank you
Post by j***@gmail.com
OT but I must say: I like your style, George.
Post by George Valkov
Error lookup: 2245
{
The password does not meet the password policy requirements. Check the
minimum password length, password complexity and password history
requirements.}
-- Pascal
-- Pascal
--
Pascal
Pascal
2007-07-25 10:54:43 UTC
Permalink
Hi,

Yes I have already tried that but with no success (bouhoouhooou :D).

I have also tried to change the password through a 2000 client member
of the domain (so without the UI limitation) but the problem remains.

It's really an NT4 limitation but what is strange is that we don't find
anywhere on Microsoft website a sentence saying "You can't set up a
password of more than 14 characters".

Thanks for your help !
Post by S. Pidgorny <MVP>
What I'd do is setting up extra long password on Windows 2003 domain
controller and authenticating using NT - resulting in local cached
credentials; then I'd try to log on with any other password :)
Alternatively, I'd use Windows 2003 tools to manage NT system. This is just
to avoid the UI limitations that some tools may have.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Hi,
sorry for my poor english but what does "Do experiment" mean please ? :D It
means "make some tests" ?
Because it is what I already did with no success :D
It doesn't seem that NT allows long passwords if we try to set up them via
usrmgr,Dameware or net user command
Thanks
-- Pascal
-- Pascal
--
Pascal
S. Pidgorny <MVP>
2007-07-31 11:44:10 UTC
Permalink
And you won't be able to. Microsoft is long past caring about NT and so
should you. It is okay to run it only in isolated environments e.g. those
not requiring password complexity. Think of cash machines.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Pascal
Hi,
Yes I have already tried that but with no success (bouhoouhooou :D).
I have also tried to change the password through a 2000 client member of
the domain (so without the UI limitation) but the problem remains.
It's really an NT4 limitation but what is strange is that we don't find
anywhere on Microsoft website a sentence saying "You can't set up a
password of more than 14 characters".
Thanks for your help !
Post by S. Pidgorny <MVP>
What I'd do is setting up extra long password on Windows 2003 domain
controller and authenticating using NT - resulting in local cached
credentials; then I'd try to log on with any other password :)
Alternatively, I'd use Windows 2003 tools to manage NT system. This is
just to avoid the UI limitations that some tools may have.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Hi,
sorry for my poor english but what does "Do experiment" mean please ? :D
It means "make some tests" ?
Because it is what I already did with no success :D
It doesn't seem that NT allows long passwords if we try to set up them
via usrmgr,Dameware or net user command
Thanks
-- Pascal
-- Pascal
--
Pascal
Steve Riley [MSFT]
2007-07-22 03:10:22 UTC
Permalink
There are two hashes:
* LM
* NT

There are four authentication methods:
* LM
* NTLM
* NTLMv2
* Kerberos

Here's how they relate:
* LM authentication uses the LM hash
* NTLM, NTLMv2, and Kerberos all use the NT hash

(It's incorrect to say "NTLM" or "NTLMv2" hash.)

LM hashes (and it's really a stretch to call them "hashes") are generated
only if both of these are true:
* You haven't disabled LM hash generation
* Your password length is 14 characters or less

In NT 4.0, the User Manager wouldn't permit you to enter a password longer
than 14 characters. Windows 2000 and higher permit entering a password up to
127 characters; the actual maximum length is 255 characters.

If, however, you meet a certain, ah, esoteric set of requirements, your
minimum length must be at least 18,770 characters. :) Actually, that's a UI
bug described in http://support.microsoft.com/kb/q276304/. Still, it's
funny.

Steve Riley
***@microsoft.com
http://blogs.technet.com/steriley
Post by j***@gmail.com
Hello Pascal,
The answer lies in how Windows hashes and stores the passwords. There
are three mechanisms: LM (MD4), NTLM hash (MD4), and NTLMv2 (MD5).
LM has a maximum length of 14 characters. It breaks the password up
into two 7 character strings, makes both strings uppercase, and then
hashes the strings. Because of the length and because of the case
insensitivity, LM is very easy to break with brute force tools.
NTLM also has a maximum length of 14 characters. It hashes the
password as one 14 character chunk and does not change the characters
to uppercase. It is a little better than LM.
NTLMv2 has a maximum length of 127 Unicode characters or 254 Ascii
characters. Most systems use Unicode to support international
character sets, and thus 127 is the number you will see most often.
Windows NT4 will use either NTLM or NTLMv2. If at all possible in your
environment, set it to only use NTLMv2 (see 147706). Using "Net User"
may still default to 14 characters because the utility may not
recognize the change. Usrmgr should be fine, however.
Hope that helps,
J Wolfgang Goerlich
Microsoft Article 147706, How to disable LM authentication on Windows
NT
http://support.microsoft.com/kb/147706
Post by Pascal
Hi,
sorry for this "noob" question but is there a password limit on NT4
SP6a ?
Indeed, I am not able to define a password that has more than 14
characters length.
SOmetimes I am reading that the limit is 128 characters and sometimes
it is 14 characters.
Please someone could help me ? :)
Thank you
--
Pascal
j***@gmail.com
2007-07-23 11:41:56 UTC
Permalink
Fair enough. That still begs the question: how does Pascal, the OP,
enable passwords of more than 14 characters on a Windows NT4 domain?

J Wolfgang Goerlich
Post by Steve Riley [MSFT]
* LM
* NT
* LM
* NTLM
* NTLMv2
* Kerberos
* LM authentication uses the LM hash
* NTLM, NTLMv2, and Kerberos all use the NT hash
(It's incorrect to say "NTLM" or "NTLMv2" hash.)
LM hashes (and it's really a stretch to call them "hashes") are generated
* You haven't disabled LM hash generation
* Your password length is 14 characters or less
In NT 4.0, the User Manager wouldn't permit you to enter a password longer
than 14 characters. Windows 2000 and higher permit entering a password up to
127 characters; the actual maximum length is 255 characters.
If, however, you meet a certain, ah, esoteric set of requirements, your
minimum length must be at least 18,770 characters. :) Actually, that's a UI
bug described inhttp://support.microsoft.com/kb/q276304/. Still, it's
funny.
Steve Riley
Steve Riley [MSFT]
2007-07-24 01:51:29 UTC
Permalink
The practical matter is, you don't.

And I gotta say this--that NT 4 domain should be upgraded to Windows Server
2003 as soon as possible. NT 4 support ended a very long time ago.

Steve Riley
***@microsoft.com
http://blogs.technet.com/steriley
Post by j***@gmail.com
Fair enough. That still begs the question: how does Pascal, the OP,
enable passwords of more than 14 characters on a Windows NT4 domain?
J Wolfgang Goerlich
Post by Steve Riley [MSFT]
* LM
* NT
* LM
* NTLM
* NTLMv2
* Kerberos
* LM authentication uses the LM hash
* NTLM, NTLMv2, and Kerberos all use the NT hash
(It's incorrect to say "NTLM" or "NTLMv2" hash.)
LM hashes (and it's really a stretch to call them "hashes") are generated
* You haven't disabled LM hash generation
* Your password length is 14 characters or less
In NT 4.0, the User Manager wouldn't permit you to enter a password longer
than 14 characters. Windows 2000 and higher permit entering a password up to
127 characters; the actual maximum length is 255 characters.
If, however, you meet a certain, ah, esoteric set of requirements, your
minimum length must be at least 18,770 characters. :) Actually, that's a UI
bug described inhttp://support.microsoft.com/kb/q276304/. Still, it's
funny.
Steve Riley
Pascal
2007-07-24 08:56:08 UTC
Permalink
Hello Steve,

thanks a lot for your answer.

Actually it is not possible for this company to upgrade the NT4 domain
to AD 2003.
It is the reason we are using MIIS for password synchronization between
AD (2003) to NT.

If I have well understood, it is technically possible to bypass this
limitation (of password length) but it is never used ? (sorry for my
poor english :D)

The "big" problem of this situation is that we have to communicate to
users that they have to set up a password with a minimal password
length of 9 characters AND a maximum password length of 14 :-(

I have already read that it is a GUI limitation of usrmgr but I have
also tried to set up the password through the net user command and
through a windows 2000 SP4 member of the NT4 domain but with no
success.

Even if in the practical matter we don't set up such passwords, could
you let me know how we can set up them please ? :)

Thanks a lot
Post by Steve Riley [MSFT]
The practical matter is, you don't.
And I gotta say this--that NT 4 domain should be upgraded to Windows Server
2003 as soon as possible. NT 4 support ended a very long time ago.
Steve Riley
http://blogs.technet.com/steriley
Post by j***@gmail.com
Fair enough. That still begs the question: how does Pascal, the OP,
enable passwords of more than 14 characters on a Windows NT4 domain?
J Wolfgang Goerlich
Post by Steve Riley [MSFT]
* LM
* NT
* LM
* NTLM
* NTLMv2
* Kerberos
* LM authentication uses the LM hash
* NTLM, NTLMv2, and Kerberos all use the NT hash
(It's incorrect to say "NTLM" or "NTLMv2" hash.)
LM hashes (and it's really a stretch to call them "hashes") are generated
* You haven't disabled LM hash generation
* Your password length is 14 characters or less
In NT 4.0, the User Manager wouldn't permit you to enter a password longer
than 14 characters. Windows 2000 and higher permit entering a password up to
127 characters; the actual maximum length is 255 characters.
If, however, you meet a certain, ah, esoteric set of requirements, your
minimum length must be at least 18,770 characters. :) Actually, that's a UI
bug described inhttp://support.microsoft.com/kb/q276304/. Still, it's
funny.
Steve Riley
--
Pascal
Pascal
2007-07-24 09:46:10 UTC
Permalink
Another thing...

I have configured the LMCompatibilityLevel to 5 on my NT4 PDC.

Then I have changed my password through usrmgr to a classic password
just for testing that the LM hash is not yet used.

I have dumped my SAM and I can see that LM hash is still generated for
that user !

I have missed something again ? :D

Thank you
Post by Pascal
Hello Steve,
thanks a lot for your answer.
Actually it is not possible for this company to upgrade the NT4 domain to AD
2003.
It is the reason we are using MIIS for password synchronization between AD
(2003) to NT.
If I have well understood, it is technically possible to bypass this
limitation (of password length) but it is never used ? (sorry for my poor
english :D)
The "big" problem of this situation is that we have to communicate to users
that they have to set up a password with a minimal password length of 9
characters AND a maximum password length of 14 :-(
I have already read that it is a GUI limitation of usrmgr but I have also
tried to set up the password through the net user command and through a
windows 2000 SP4 member of the NT4 domain but with no success.
Even if in the practical matter we don't set up such passwords, could you let
me know how we can set up them please ? :)
Thanks a lot
Post by Steve Riley [MSFT]
The practical matter is, you don't.
And I gotta say this--that NT 4 domain should be upgraded to Windows Server
2003 as soon as possible. NT 4 support ended a very long time ago.
Steve Riley
http://blogs.technet.com/steriley
Post by j***@gmail.com
Fair enough. That still begs the question: how does Pascal, the OP,
enable passwords of more than 14 characters on a Windows NT4 domain?
J Wolfgang Goerlich
Post by Steve Riley [MSFT]
* LM
* NT
* LM
* NTLM
* NTLMv2
* Kerberos
* LM authentication uses the LM hash
* NTLM, NTLMv2, and Kerberos all use the NT hash
(It's incorrect to say "NTLM" or "NTLMv2" hash.)
LM hashes (and it's really a stretch to call them "hashes") are generated
* You haven't disabled LM hash generation
* Your password length is 14 characters or less
In NT 4.0, the User Manager wouldn't permit you to enter a password longer
than 14 characters. Windows 2000 and higher permit entering a password up to
127 characters; the actual maximum length is 255 characters.
If, however, you meet a certain, ah, esoteric set of requirements, your
minimum length must be at least 18,770 characters. :) Actually, that's a UI
bug described inhttp://support.microsoft.com/kb/q276304/. Still, it's
funny.
Steve Riley
--
Pascal
Pascal
2007-07-24 10:45:11 UTC
Permalink
Me again,

please tell me if I have well undestood :D

It is not possible to disable the LM Hash on an NT4 computer (the
NoLMHash key is supported only since windows 2000 SP2).

The LmCompatibilityLevel is used only to modify the authentification
method not the hashes method, right ?

Now, if I am right with what I said above, why is it possible to define
an LMCompatibilityLevel to 5 (means only NTLMv2 authentication method)
if the NT4 does not support it ? (because when I dumped the sam of my
PDC, I have only LM hash stored).

Even if I think I will finally bypass the problem by limiting the
password synchronization through MIIS only for specific users (that
will limit only those users with a 14 characters password length), I
really would like to understand how does it work on NT4 :)

Thank you
Post by Pascal
Another thing...
I have configured the LMCompatibilityLevel to 5 on my NT4 PDC.
Then I have changed my password through usrmgr to a classic password just for
testing that the LM hash is not yet used.
I have dumped my SAM and I can see that LM hash is still generated for that
user !
I have missed something again ? :D
Thank you
Post by Pascal
Hello Steve,
thanks a lot for your answer.
Actually it is not possible for this company to upgrade the NT4 domain to
AD 2003.
It is the reason we are using MIIS for password synchronization between AD
(2003) to NT.
If I have well understood, it is technically possible to bypass this
limitation (of password length) but it is never used ? (sorry for my poor
english :D)
The "big" problem of this situation is that we have to communicate to users
that they have to set up a password with a minimal password length of 9
characters AND a maximum password length of 14 :-(
I have already read that it is a GUI limitation of usrmgr but I have also
tried to set up the password through the net user command and through a
windows 2000 SP4 member of the NT4 domain but with no success.
Even if in the practical matter we don't set up such passwords, could you
let me know how we can set up them please ? :)
Thanks a lot
Post by Steve Riley [MSFT]
The practical matter is, you don't.
And I gotta say this--that NT 4 domain should be upgraded to Windows
Server 2003 as soon as possible. NT 4 support ended a very long time ago.
Steve Riley
http://blogs.technet.com/steriley
Post by j***@gmail.com
Fair enough. That still begs the question: how does Pascal, the OP,
enable passwords of more than 14 characters on a Windows NT4 domain?
J Wolfgang Goerlich
Post by Steve Riley [MSFT]
* LM
* NT
* LM
* NTLM
* NTLMv2
* Kerberos
* LM authentication uses the LM hash
* NTLM, NTLMv2, and Kerberos all use the NT hash
(It's incorrect to say "NTLM" or "NTLMv2" hash.)
LM hashes (and it's really a stretch to call them "hashes") are generated
* You haven't disabled LM hash generation
* Your password length is 14 characters or less
In NT 4.0, the User Manager wouldn't permit you to enter a password longer
than 14 characters. Windows 2000 and higher permit entering a password up to
127 characters; the actual maximum length is 255 characters.
If, however, you meet a certain, ah, esoteric set of requirements, your
minimum length must be at least 18,770 characters. :) Actually, that's a UI
bug described inhttp://support.microsoft.com/kb/q276304/. Still, it's
funny.
Steve Riley
--
Pascal
Loading...