NT LM 0.12 Challenge/Response

Because it uses MD4 to generate the keying material from the password, and because it preserves the password's case, the key space of this protocol is essentially the full 56 bits that single DES allows; this is probably an acceptable length for most purposes (although future dialects may use triple-DES for more assurance). However, it is still subject to the same chosen plaintext and dictionary attacks as LANMAN 2.1 challenge/response if passwords are badly chosen. The only cure is to make sure that passwords are well-chosen, and long enough to have at least 56 bits of randomness.

Other considerations:

• Transforming the password into Unicode leaves a pattern of alternating zeros and characters in the input to MD4. This may allow MD4 to be reversed much more easily, although there is currently no known way to exploit this.
• MD4 is known to be weak with respect to collisions. There may be a way to exploit this to attack its one-wayness, or to exploit the collision properties to limit key search time, although there is currently no known way to do so.