So the Hak5 folks have produced complete hash tables for the LM version of the password hash used by Windows and the tables are good for all valid characters that can be used in an LM password for the 1-7 password length. The “1-7 characters” part might make it sound like your hash is safe if its of a password that is 11 characters long, BUT (as you may or may not know) you only need 1-7 length tables to crack 1-14 character length LM password hashes because of errm . . . well . . . a weakness in the way the LM hash is computed that allows one to attack the hash by breaking it into its two 7 character chunks . . . (each chunk covering up to 7 characters). So I beileve that you can actually use a 1-7 character set of talbes to attack the two halves of the password hash and derive a full 14 character password.
So is this “big news”? Well . . . not really . . . and sort of. 🙂 Pre-computed hash tables for various types of hashes have been available both as a web service and for sale on DVD’s for quite some time from places like this. You have to obviously pay to play with those hash tables and they are largely incomplete (for the NT hashes) . . . but the complete LM hash rainbow table has been available for sale for a while but this is the first one I’ve seen that is both complete and free – so in that sense – its somewhat newsworthy on a slow news week. 🙂
Do folks really need another reason to disable the storage of the LM hash these days?