# LAN Manager

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/LAN_Manager
> Markdown URL: https://mediated.wiki/source/LAN_Manager.md
> Source: https://en.wikipedia.org/wiki/LAN_Manager
> Source revision: 1315227551
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

Microsoft network operating system

Operating system

LAN Manager Developer Microsoft, 3Com OS family OS/2 Working state Discontinued Source model Closed source Initial release 1987; 39 years ago (1987) Final release 2.2a / 1994; 32 years ago (1994) Marketing target Local area networking Update method Re-installation Package manager None Supported platforms x86 License Proprietary Preceded by MS-Net, Xenix-NET, 3+Share Succeeded by Microsoft Windows NT 3.1

**LAN Manager** is a discontinued [network operating system](/source/Network_operating_system) (NOS) available from multiple vendors and developed by [Microsoft](/source/Microsoft) in cooperation with [3Com Corporation](/source/3Com). It was designed to succeed 3Com's [3+Share](/source/3%2BShare) [network server](/source/Server_(computing)) software which ran atop a heavily modified version of [MS-DOS](/source/MS-DOS).

## History

The LAN Manager [OS/2](/source/OS%2F2) operating system was co-developed by [IBM](/source/IBM) and [Microsoft](/source/Microsoft), using the [Server Message Block](/source/Server_Message_Block) (SMB) protocol. It originally used SMB atop either the [NetBIOS Frames](/source/NetBIOS_Frames) (NBF) protocol or a specialized version of the [Xerox Network Systems](/source/Xerox_Network_Systems) (XNS) protocol. These legacy protocols had been inherited from previous products such as [MS-Net](/source/MS-Net) for [MS-DOS](/source/MS-DOS), [Xenix-NET](https://en.wikipedia.org/w/index.php?title=Xenix-NET&action=edit&redlink=1) for [MS-Xenix](/source/Xenix), and the afore-mentioned 3+Share. A version of LAN Manager for Unix-based systems called **LAN Manager/X** was also available. LAN Manager/X was the basis for [Digital Equipment Corporation](/source/Digital_Equipment_Corporation)'s [Pathworks](/source/Pathworks) product for [OpenVMS](/source/OpenVMS), [Ultrix](/source/Ultrix) and [Tru64](/source/Tru64).[1]

Despite support from 3Com, IBM, Digital, and [Digital Communications Associates](/source/Digital_Communications_Associates), *[PC](/source/PC_(magazine))* wrote in 1989, LAN Manager "has made a very small impression on the market and continues to receive the cold shoulder from buyers" compared to [Novell NetWare](/source/Novell_NetWare). The combined companies "pose a strong potential threat", however, the magazine added.[2] In 1990, Microsoft announced LAN Manager 2.0 with a host of improvements, including support for [TCP/IP](/source/TCP%2FIP) as a transport protocol for SMB, using [NetBIOS over TCP/IP](/source/NetBIOS_over_TCP%2FIP) (NBT). The last version of LAN Manager, 2.2, which included an MS-OS/2 1.31 base operating system, remained Microsoft's strategic server system until the release of [Windows NT Advanced Server](/source/Windows_NT_3.1) in 1993.[3]

### Versions

- 1987 – MS LAN Manager 1.0 (Basic/Enhanced)

- 1989 – MS LAN Manager 1.1

- 1991 – MS LAN Manager 2.0

- 1992 – MS LAN Manager 2.1

- 1992 – MS LAN Manager 2.1a

- 1993 – MS LAN Manager 2.2

- 1994 – MS LAN Manager 2.2a

Many vendors shipped licensed versions, including:

- [3Com Corporation](/source/3Com) [3+Open](/source/3%2BOpen)

- [HP LAN Manager/X](https://en.wikipedia.org/w/index.php?title=HP_LAN_Manager/X&action=edit&redlink=1)

- [IBM LAN Server](/source/IBM_LAN_Server)

- [Tapestry Torus](https://en.wikipedia.org/w/index.php?title=Tapestry_Torus&action=edit&redlink=1)

- [The Santa Cruz Operation](/source/Santa_Cruz_Operation)

## Password hashing algorithm

The LM hash is computed as follows:[4][5]

1. The user's password is restricted to a maximum of fourteen characters.[Notes 1]

1. The user's password is converted to [uppercase](/source/Uppercase).

1. The user's password is encoded in the System OEM [code page](/source/Code_page).[6]

1. This password is NULL-padded to 14 bytes.[7]

1. The “fixed-length” password is split into two 7-byte halves.

1. These values are used to create two [DES](/source/Data_Encryption_Standard) keys, one from each 7-byte half, by converting the seven bytes into a bit stream with the [most significant bit](/source/Most_significant_bit) first, and inserting a [parity bit](/source/Parity_bit) after every seven bits (so 1010100 becomes 10101000). This generates the 64 bits needed for a DES key. (A DES key ostensibly consists of 64 bits; however, only 56 of these are actually used by the algorithm. The parity bits added in this step are later discarded.)

1. Each of the two keys is used to DES-encrypt the constant [ASCII](/source/ASCII) string “KGS!@#$%”,[Notes 2] resulting in two 8-byte ciphertext values. The DES CipherMode should be set to [ECB](/source/Block_cipher_mode_of_operation#Electronic_codebook_(ECB)), and PaddingMode should be set to NONE.

1. These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash.

## Security weaknesses

LAN Manager authentication uses a particularly weak method of [hashing](/source/Cryptographic_hash_function) a user's [password](/source/Password) known as the LM hash algorithm, stemming from the mid-1980s when viruses transmitted by floppy disks were the major concern.[8] Although it is based on [DES](/source/Data_Encryption_Standard), a well-studied [block cipher](/source/Block_cipher), the LM hash has several weaknesses in its design.[9] This makes such hashes crackable in a matter of seconds using [rainbow tables](/source/Rainbow_table), or in a few minutes using [brute force](/source/Brute-force_attack). Starting with [Windows NT](/source/Windows_NT), it was replaced by [NTLM](/source/NTLM), which is still vulnerable to rainbow tables, and brute force attacks unless long, unpredictable passwords are used, see [password cracking](/source/Password_cracking). NTLM is used for logon with local accounts except on domain controllers since Windows Vista and later versions no longer maintain the LM hash by default.[8] [Kerberos](/source/Kerberos_(protocol)) is used in Active Directory Environments.

The major weaknesses of LAN Manager authentication protocol are:[10]

1. Password length is limited to a maximum of 14 characters chosen from the [95 ASCII printable characters](/source/ASCII#ASCII_printable_characters).

1. Passwords are not case sensitive. All passwords are converted into uppercase before generating the hash value. Hence LM hash treats PassWord, password, PaSsWoRd, PASSword and other similar combinations same as PASSWORD. This practice effectively reduces the LM hash [key space](/source/Key_space_(cryptography)) to 69 characters.

1. A 14-character password is broken into 7+7 characters and the hash is calculated for each half separately. This way of calculating the hash makes it dramatically easier to crack, as the attacker only needs to [brute-force](/source/Brute-force_attack) 7 characters twice instead of the full 14 characters. This makes the effective strength of a 14-character password equal to only 2 × 69 7 ≈ 2 44 {\displaystyle 2\times 69^{7}\approx 2^{44}} , or twice that of a 7-character password, which is 3.7 trillion times less complex than the 69 14 ≈ 2 86 {\displaystyle 69^{14}\approx 2^{86}} theoretical strength of a 14-character single-case password. As of 2020, a computer equipped with a high-end [graphics processor](/source/Graphics_processor) (GPUs) can compute 40 billion LM-hashes per second.[11] At that rate, all 7-character passwords from the 95-character set can be tested and broken in half an hour; all 7-character [alphanumeric](/source/Alphanumeric) passwords can be tested and broken in 2 seconds.

1. If the password is 7 characters or less, then the second half of hash will always produce same constant value (0xAAD3B435B51404EE). Therefore, a password is less than or equal to 7 characters long can be identified visibly without using tools (though with high speed GPU attacks, this matters less).

1. The hash value is sent to network servers without [salting](/source/Salt_(cryptography)), making it susceptible to [man-in-the-middle attacks](/source/Man-in-the-middle_attack) such as [replay the hash](/source/Pass_the_hash). Without salt, [time–memory tradeoff](/source/Time%E2%80%93memory_tradeoff) [pre-computed dictionary attacks](/source/Pre-computed_dictionary_attack), such as a [rainbow table](/source/Rainbow_table), are feasible. In 2003, [Ophcrack](/source/Ophcrack), an implementation of the rainbow table technique, was published. It specifically targets the weaknesses of LM encryption, and includes pre-computed data sufficient to crack virtually all alphanumeric LM hashes in a few seconds. Many cracking tools, such as [RainbowCrack](/source/RainbowCrack), [Hashcat](/source/Hashcat), [L0phtCrack](/source/L0phtCrack) and [Cain](/source/Cain_(software)), now incorporate similar attacks and make cracking of LM hashes fast and trivial.

## Workarounds

To address the security weaknesses inherent in LM encryption and authentication schemes, Microsoft introduced the [NTLMv1](/source/NTLMv1) protocol in 1993 with [Windows NT 3.1](/source/Windows_NT_3.1). For hashing, NTLM uses [Unicode](/source/Unicode) support, replacing LMhash=DESeach(DOSCHARSET(UPPERCASE(password)), "KGS!@#$%") by NThash=[MD4](/source/MD4)([UTF-16](/source/UTF-16)-LE(password)), which does not require any padding or truncating that would simplify the key. On the negative side, the same DES algorithm was used with only [56-bit encryption](/source/56-bit_encryption) for the subsequent authentication steps, and there is still no salting. Furthermore, Windows machines were for many years configured by default to send and accept responses derived from both the LM hash and the NTLM hash, so the use of the NTLM hash provided no additional security while the weaker hash was still present. It also took time for artificial restrictions on password length in management tools such as User Manager to be lifted.

While LAN Manager is considered obsolete and current Windows operating systems use the stronger NTLMv2 or [Kerberos](/source/Kerberos_(protocol)) authentication methods, Windows systems before [Windows Vista](/source/Windows_Vista)/[Windows Server 2008](/source/Windows_Server_2008) enabled the LAN Manager hash by default for [backward compatibility](/source/Backward_compatibility) with legacy LAN Manager and [Windows ME](/source/Windows_ME) or earlier clients, or legacy [NetBIOS](/source/NetBIOS)-enabled applications. It has for many years been considered good security practice to disable the compromised LM and NTLMv1 authentication protocols where they aren't needed.[12] Starting with Windows Vista and Windows Server 2008, Microsoft disabled the LM hash by default; the feature can be enabled for local accounts via a security policy setting, and for [Active Directory](/source/Active_Directory) accounts by applying the same setting via domain [Group Policy](/source/Group_Policy). The same method can be used to turn the feature off in Windows 2000, Windows XP and NT.[12] Users can also prevent a LM hash from being generated for their own password by using a password at least fifteen characters in length.[7]—NTLM hashes have in turn become vulnerable in recent years to various attacks that effectively make them as weak today as LanMan hashes were back in 1998.[*[citation needed](https://en.wikipedia.org/wiki/Wikipedia:Citation_needed)*]

## Reasons for continued use of LM hash

Many legacy third party [SMB](/source/Server_Message_Block) implementations have taken considerable time to add support for the stronger protocols that Microsoft has created to replace LM hashing because the [open source](/source/Open-source_software) communities supporting these libraries first had to [reverse engineer](/source/Reverse_engineering) the newer protocols—[Samba](/source/Samba_(software)) took 5 years to add [NTLMv2](/source/NTLMv2) support, while JCIFS took 10 years.

Availability of NTLM protocols to replace LM authentication Product NTLMv1 support NTLMv2 support Windows NT 3.1 RTM (1993) Not supported Windows NT 3.5 RTM (1994) Not supported Windows NT 3.51 RTM (1995) Not supported Windows NT 4 RTM (1996) Service Pack 4[13] (October 25, 1998) Windows 95 Not supported Directory services client (released with Windows 2000 Server, February 17, 2000) Windows 98 RTM Directory services client (released with Windows 2000 Server, February 17, 2000) Windows 2000 RTM (February 17, 2000) RTM (February 17, 2000) Windows Me RTM (September 14, 2000) Directory services client (released with Windows 2000 Server, February 17, 2000) Samba ? Version 3.0[14] (September 24, 2003) JCIFS Not supported Version 1.3.0 (October 25, 2008)[15] IBM AIX (SMBFS) 5.3 (2004)[16] Not supported as of v7.1[17]

Poor patching regimes subsequent to software releases supporting the feature becoming available have contributed to some organisations continuing to use LM Hashing in their environments, even though the protocol is easily disabled in [Active Directory](/source/Active_Directory) itself.

Lastly, prior to the release of Windows Vista, many unattended build processes still used a [DOS](/source/DOS) boot disk (instead of [Windows PE](/source/Windows_PE)) to start the installation of Windows using WINNT.EXE, something that requires LM hashing to be enabled for the legacy LAN Manager networking stack to work.

## See also

- [NT LAN Manager](/source/NT_LAN_Manager)

- [Active Directory](/source/Active_Directory)

- [Password cracking](/source/Password_cracking)

- [Dictionary attack](/source/Dictionary_attack)

- [Remote Program Load](/source/Remote_Program_Load) (RPL)

- [Security Account Manager](/source/Security_Account_Manager)

## Notes

1. **[^](#cite_ref-6)** If the password is more than fourteen characters long, the LM hash cannot be computed.

1. **[^](#cite_ref-9)** The string “KGS!@#$%” could possibly mean **K**ey of **G**len and **S**teve and then the combination of **Shift + 12345**. Glen Zorn and Steve Cobb are the authors of RFC 2433 ([Microsoft PPP CHAP Extensions](/source/MS-CHAP)).

## References

1. **[^](#cite_ref-samba_1-0)** Andy Goldstein (2005). ["Samba and OpenVMS"](https://web.archive.org/web/20210207063545/http://de.openvms.org/TUD2005/02_Advanced_Server_and_Samba_Andy_Goldstein.pdf) (PDF). *de.openvms.org*. Archived from [the original](http://de.openvms.org/TUD2005/02_Advanced_Server_and_Samba_Andy_Goldstein.pdf) (PDF) on February 7, 2021. Retrieved January 1, 2021.

1. **[^](#cite_ref-pc19891212_2-0)** Derfler, Frank J. Jr.; Thompson, M. Keith (December 12, 1989). ["Novell's NetWare 386"](https://books.google.com/books?id=5CmkZ3THZtwC&pg=PT206). *PC Magazine*. Vol. 8, no. 21. p. 205. Retrieved May 2, 2025.

1. **[^](#cite_ref-3)** ["DOS SMB Client Performance | OS/2 Museum"](https://www.os2museum.com/wp/dos-smb-client-performance/). Retrieved August 28, 2023.

1. **[^](#cite_ref-4)** ["Chapter 3 - Operating System Installation"](https://learn.microsoft.com/previous-versions/tn-archive/dd277300(v=technet.10)#the-lmhash). *[Microsoft Docs](/source/Microsoft_Docs)*. March 24, 2009. The LMHash. Retrieved October 16, 2023.

1. **[^](#cite_ref-davenport_5-0)** Glass, Eric (2006). ["The NTLM Authentication Protocol and Security Support Provider: The LM Response"](https://davenport.sourceforge.net/ntlm.html#theLmResponse). Retrieved May 12, 2015.

1. **[^](#cite_ref-7)** ["List of Localized MS Operating Systems"](https://web.archive.org/web/20150518092309/https://msdn.microsoft.com/nl-nl/goglobal/cc563921(en-us).aspx). *[Microsoft Developer Network](/source/Microsoft_Developer_Network)*. Archived from [the original](https://msdn.microsoft.com/nl-nl/goglobal/cc563921%28en-us%29.aspx) on May 18, 2015. Retrieved May 12, 2015.

1. ^ [***a***](#cite_ref-KB828861_8-0) [***b***](#cite_ref-KB828861_8-1) ["Cluster service account password must be set to 15 or more characters if the NoLMHash policy is enabled"](https://web.archive.org/web/20140910100521/https://support.microsoft.com/kb/828861). [Microsoft](/source/Microsoft). October 30, 2006. Archived from [the original](https://support.microsoft.com/kb/828861) on September 10, 2014. Retrieved May 12, 2015.

1. ^ [***a***](#cite_ref-SecurityWatch_10-0) [***b***](#cite_ref-SecurityWatch_10-1) Jesper Johansson (August 31, 2016). ["The Most Misunderstood Windows Security Setting of All Time"](https://learn.microsoft.com/en-us/previous-versions/technet-magazine/cc160954(v=msdn.10)). *[Microsoft Docs](/source/Microsoft_Docs)*. Microsoft. Retrieved October 16, 2023. Although Windows Vista has not been released yet, it is worthwhile to point out some changes in this operating system related to these protocols. The most important change is that the LM protocol can no longer be used for inbound authentication—where Windows Vista is acting as the authentication server.

1. **[^](#cite_ref-11)** Johansson, Jasper M. (June 29, 2004). ["Windows Passwords: Everything You Need To Know"](http://download.microsoft.com/download/f/4/a/f4a67fc8-c499-461d-a025-8155fb4f7a0f/Windows%20Passwords%20Master%201.5%20Handout%20-%20Jesper%20Johansson.ppt). [Microsoft](/source/Microsoft). Retrieved May 12, 2015.

1. **[^](#cite_ref-12)** Rahul Kokcha

1. **[^](#cite_ref-13)** [Benchmark Hashcat v6.1.1 on RTX 2070S (SUPER)](https://www.onlinehashcrack.com/tools-benchmark-hashcat-nvidia-rtx-2070s-super.php), Mode 3000 LM, accessed November 29, 2020

1. ^ [***a***](#cite_ref-KB299656_14-0) [***b***](#cite_ref-KB299656_14-1) ["How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases"](https://learn.microsoft.com/en-US/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password). *[Microsoft Docs](/source/Microsoft_Docs)*. December 3, 2007. Retrieved October 16, 2023.

1. **[^](#cite_ref-15)** ["Windows NT 4.0 Service Pack 4 Readme.txt File (40-bit)"](https://web.archive.org/web/20150519010408/https://support.microsoft.com/en-us/kb/194507). [Microsoft](/source/Microsoft). October 25, 1998. Archived from [the original](https://support.microsoft.com/kb/194507) on May 19, 2015. Retrieved May 12, 2015.

1. **[^](#cite_ref-16)** ["The Samba Team announces the first official release of Samba 3.0"](https://www.samba.org/samba/history/samba-3.0.0.html). [SAMBA](/source/SAMBA). September 24, 2003. Retrieved May 12, 2015.

1. **[^](#cite_ref-17)** ["The Java CIFS Client Library"](https://web.archive.org/web/20150510030707/http://jcifs.samba.org/). Archived from [the original](https://jcifs.samba.org/) on May 10, 2015. Retrieved May 12, 2015.

1. **[^](#cite_ref-18)** ["AIX 5.3 Networks and communication management: Server Message Block file system"](http://www-01.ibm.com/support/knowledgecenter/ssw_aix_53/com.ibm.aix.commadmn/doc/commadmndita/smbfs_intro.htm). [IBM](/source/IBM). March 15, 2010. p. 441. Retrieved May 12, 2015.

1. **[^](#cite_ref-19)** ["AIX 7.1 Networks and communication management: Server Message Block file system"](http://www-01.ibm.com/support/knowledgecenter/ssw_aix_71/com.ibm.aix.networkcomm/smbfs_intro.htm). [IBM](/source/IBM). December 5, 2011. Retrieved May 12, 2015.

## External links

Wikibooks has a book on the topic of: ***[Reverse Engineering/Cracking Windows XP Passwords](https://en.wikibooks.org/wiki/Reverse_Engineering/Cracking_Windows_XP_Passwords)***

- [1.3.8.1.1 Microsoft LAN Manager](https://web.archive.org/web/20170212195243/http://msdn.microsoft.com/en-us/library/cc237025.aspx) at the [Wayback Machine](/source/Wayback_Machine) (archived February 12, 2017)

- ["Microsoft LAN Manager User's Guide for MS-DOS"](https://bitsavers.org/pdf/dec/decnet/pathworks_DOS/AA-PHH1A-TK_Pathworks_for_DOS_Microsoft_LAN_Manager_Users_Guide_for_MS-DOS_1990.pdf) (PDF) – via [Bitsavers](/source/Bitsavers).

v t e Authentication Authentication APIs BSD Authentication (BSD Auth) eAuthentication (eAuth) Generic Security Services API (GSSAPI) Java Authentication and Authorization Service (JAAS) Pluggable Authentication Modules (PAM) Simple Authentication and Security Layer (SASL) Security Support Provider Interface (SSPI) XCert Universal Database API (XUDA) Authentication protocols ACF2 Authentication and Key Agreement (AKA) CAVE-based authentication Challenge-Handshake Authentication Protocol (CHAP) MS-CHAP Central Authentication Service (CAS) CRAM-MD5 Diameter Extensible Authentication Protocol (EAP) Host Identity Protocol (HIP) IndieAuth Kerberos LAN Manager NT LAN Manager (NTLM) OAuth OpenID OpenID Connect (OIDC) Password-authenticated key agreement protocols Password Authentication Protocol (PAP) Protected Extensible Authentication Protocol (PEAP) Remote Access Dial In User Service (RADIUS) Resource Access Control Facility (RACF) Secure Remote Password protocol (SRP) TACACS Woo–Lam Category Commons

v t e Network operating systems (NOS) Current AlliedWare Plus Cisco IOS Cisco NX-OS Dell Networking Operating System ExtremeXOS Junos OS OpenWrt pfSense ScreenOS SONiC VyOS ZyNOS Historic 3+Share Banyan VINES Cumulus Linux LAN Manager MS-Net NetWare Novell S-Net Category

v t e Operating systems by Microsoft Desktop / Server Microsoft Windows 1.0 2.0 2.1 3.0 3.1 9x NT MS-DOS MSX-DOS Multitasking MS-DOS 4.0/4.1 MS-DOS 7 DOS/V Z-DOS OS/2 Xenix Mobile Nokia Asha platform Nokia X platform KIN OS Windows Mobile Windows Phone Zune Windows 10 Mobile Embedded / IoT Azure RTOS ThreadX Azure Sphere Modular Windows Windows Embedded Automotive Windows Embedded Compact Windows Embedded Industry Windows IoT Network MS-Net LAN Manager SONiC Others Azure Linux Barrelfish Cairo HomeOS Midori Singularity Venus Verve Xbox system software Category List

---
Adapted from the Wikipedia article [LAN Manager](https://en.wikipedia.org/wiki/LAN_Manager) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/LAN_Manager?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.