That's the LMHash limit, a left over from the old Window v3.x days. That is the reason why have to get to 15 or more characters to bypass that vulnerability, forces it to use the newer hash. ________________________________ From: Zvonimir Bilic [mailto:zbilic@xxxxxxxxxxxx] Sent: Monday, June 27, 2005 08:46 To: [ISAserver.org Discussion List] Subject: [isalist] RE: is the latest ISA2000 security update a dud? http://www.ISAserver.org Hi Tom, I think that by default windows has a password limit of 14 characters. How did you configure windows to allow more than 14 characters passwords? Is there any documentation on this? Thanks, Zvonimir ----- Original Message ----- From: "Thomas W Shinder" To: "[ISAserver.org Discussion List]" Sent: 6/27/2005 8:34AM Subject: [isalist] RE: is the latest ISA2000 security update a dud? http://www.ISAserver.org Hi Dan, From what I understand (which could be wrong), they could capture the password hash over the wire, and run it against a Rainbow crack. That's why I've upgraded our password policy to 24+ characters, since we use secure Exchange RPC to connect from places like airports and such.