Password Quality Result

[fatmeat]

Hello, may I know what is the difference from the password quality script

Passwords of these accounts have been found in the dictionary contoso\A contoso\B contoso\C

and

LM hashes of passwords of these accounts are present contoso\D contoso\E contoso\F

I am parsing haveibeenpwn list to the script, and both above section return result, which makes me confused that did account A,B,C used leaked password or user D,E,F used leaked password.

[fatmeat]

@MichaelGrafnetter It will be great if you can answer this, thanks!!

[CamFlyerCH]

LM hashes are the very old pre AD password hashes and can be cracked much easy than NTLM hashes. The LM hashes are only built on the first 7 characters of the password and the second 7 characters. A password longer than 14 characters was never stored as LM hash. Starting from Windows Server 2008 the default policy setting was to NOT store LM hashes during password changes or resets anymore. So if you have accounts with LM hashes it is advised to set new secure passwords and the LM hashes should be removed. Probably these are all accounts with never expiring password, what is itself not best practice, but sometimes needed. Still, a password change is advised. The NTLM password hashes found in the haveibeenpwnd has list are listed under "Passwords of these accounts have been found in the dictionary"