!!! Overview[1]
[NT LAN Manager] [Vulnerabilities|Vulnerability] is a big problem because if you don’t setup [Kerberos] properly the [SPNEGO] negotiation *will* typically fall back to using [NT LAN Manager]([NTLM]) without notifying the user. 

If you are not using [SSL]/[TLS] then it might as well be falling back to plain text [authentication]! Sure [NTLM] (the latest version) is *that bad*. There are [rainbow table]s that exist up to 16 characters for [NTLM] but you can download up to 10 characters for free here: [http://project-rainbowcrack.com/table.htm]

At this point, any [NTLM] [hash] derived from a 17-characters-or-less password is considered extremely weak and easily crackable with modern GPU hardware. we know people who have cracked passwords 36 characters long using a single GPU on their home theater box. You can try it yourself with free software here: [https://hashcat.net/oclhashcat/]

FYI: The default Windows [Kerberos] implementation is only marginally better than [NTLM] though because it too does not use a [salt] making password hashes only marginally harder to brute force ([rc4]-[HMAC] algorithm). Even if you enable [AES]-256 in Windows Server 2012 or later, it __still doesn’t use a random [salt]__! So it suffers the same problem: Only marginally better and not strong security at all.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [The Rope|https://www.gluu.org/blog/spnego-the-rope/|target='_blank'] - based on data observed:2015-05-18