LM Hashes

LM Hashes are an older form of authentication used in Active Directory and are insecure. Many are easily cracked. LM Hashes are only required as authentication on older systems. They should be disabled.

To disable LM Hashes use Group Policy:

Windows Settings > Security Settings > Local Policies > Security Options > Network security: Do not store LAN Manager hash value on next password change. > Enabled - OK

This will disable LM Hashes at next password reset but not clear them from Active Directory. There are two methods to clear them out of Active Directory completely.

  1. Use passwords at least 15 characters long.
  2. Disable LM Hashes. Disable password history for all accounts. Change the account password for all accounts. Re-enable password history.

See https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password