5.1 Authentication Protocols

5.1.1 LAN Manager

LAN Manager uses a two-part, 32-bit password hash. The first seven bits make up the first part of the hash; the last seven characters make up the second part of the hash (thus, the 14-character maximum password size). Consequently, if you have a seven-character password, the second 16 characters of the password hash are the same as the first 16 characters, revealing to an attacker that the password is only seven characters.

5.1.2 NT LAN Manager (NTLM)

This is a more secure challenge-response authentication protocol than LAN Manager. It uses 56-bit encryption for protocol security and stores passwords as an NT hash. Windows NT 4.0 Service Pack 3 (SP3) and earlier clients use this protocol.

NTLMv2 uses 128-bit encryption and is used for machines running NT 4.0 SP4 and later. This is the most secure challenge-response authentication available.

5.1.3 Kerberos

Kerberos is a trusted third-party authentication system. based on the Needham-Schroeder model. For more information refer, section 1.1 of RFC 4120 for a description of the terms principal, Authentication Service (AS), Ticket Granting Service (TGS), Ticket Granting Ticket (TGT), service ticket (STKT).