Ian,
Both your shows Guest and Administrator accounts there have no LM password.
The others do.
Administrator does not have an empty password. Empty password would have
hash value
aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
but it has LM "Hash" and not NTLM hash.
91c7ae7122196b5eaad3b435b51404ee:22315d6ed1a7d5f8a7c98c40e9fa2dec:::
Yet i change my password to some uber shocking non-sense, and in 2 minutes i
can have it cracked because the LM Hash is still being stored.
It is a poor design of LM "Hash". When L0pht Crack will attack it it will
actually attack first 7 characters separately from second 7 characters (LH
"passwords" are always 14 characters long. If users will create a password
that is 8 characters long computer will add 6 NULL characters) . This makes
things much easier and faster. As Karl pointed out the characters that it
has to attack are quite limited since password is converted to all capital
letters before "hash" is created.
Even with NTLM hash you will still need password complexity -- NTLM does no
magic. If your users will use simple passwords L0pht Crack will have no
problem figuring out what the password is. It can still use dictionary
attach and pre-computed NTLM Hashes that you can buy on the internet.
You mentioned that you have the policy set at Default Domain Policy. Set
this policy also in Default Domain Controller Policy since passwords are
stored there. Yes also your clients need the same policy since they use it
to locally store the passwords. Use GUI to make the change.
Note, by default Windows will cache passwords (in LM "Hash"). If you want to
get read of old cache you will have to disable it first (set the policy
"Interactive logon: Number of previous logons to cache" to 0) and make users
change their passwords. After they change it you can set this policy back
(you really should) to e.g. default value (10) or some other value... Even
locally cached passwords will now be stored as NTLM...
Mike