CEG3900 Passwords on Windows
Abstract: We describe the password system of Windows briefly.
1 Passwords on a Windows System
Microsoft practices to an extent "security via obscurity," and hence the following information (summarized from discussions on L0phtCrack) may be inaccurate. Also, it is not current.
Windows stores user information including encrypted passwords in the file \Windows\System32\config\SAM. This Security Accounts Manager file is a part of the registry, in a not-so-well-documented binary hash format.
A password is split into two seven-character halves, so effectively, the password is never harder to crack than a seven-character password. Another weakness is that no salt value is used to encrypt each users' password a little differently. Windows NT machine effectively stores two passwords – the NT password, encrypted with the RC4 DES algorithm, and a weaker one, know as an LN, or LANMAN, that can be optionally disabled by a system administrator. The latter passwords are needed for legacy support to interoperate with Windows 95 and 98. Although Microsoft uses DES encryption, the system only scrambles the passwords with the algorithm once, compared to Unix systems, which run 24 iterations of DES on password files to stop brute-force crypto attacks and to slow down dictionary attacks.