If you are not using SSL/TLS then it might as well be falling back to plain text authentication! Sure NTLM (the latest version) is *that bad*. There are rainbow tables that exist up to 16 characters for NTLM but you can download up to 10 characters for free here: http://project-rainbowcrack.com/table.htm
At this point, any NTLM hash derived from a 17-characters-or-less password is considered extremely weak and easily crackable with modern GPU hardware. we know people who have cracked passwords 36 characters long using a single GPU on their home theater box. You can try it yourself with free software here: https://hashcat.net/oclhashcat/
FYI: The default Windows Kerberos implementation is only marginally better than NTLM though because it too does not use a salt making password hashes only marginally harder to brute force (rc4-HMAC algorithm). Even if you enable AES-256 in Windows Server 2012 or later, it still doesn’t use a random salt! So it suffers the same problem: Only marginally better and not strong security at all.