header bg

Question:

Is this person using safe password procedures?
While pen-testing a client, you learn that LM hashing with no salting is still used on most systems for backward compatibility. The hash of one stolen password is 9FAF6B755DC38E12AAD3B435B51404EE.

A No, the hash reveals a seven-character-or-less password has been used.
Explaination

LM hashes a password by padding it with blank spaces to make it 14 characters long, then splits it into two 7-character portions and hashes each independently. Because the LM hash of seven blank characters is always AAD3B435B51404EE, the hash indicates that the user used a password with seven or fewer characters. Because CEH recommends that a password include at least eight characters and be difficult, and expire after 30 days, the user is not following a good policy.