Passwords remain a necessary evil in any security arrangement and NT is no exception. NT offers a password mechanism that is in theory extremely hard to break. But users and administrators often make life relatively easy for intruders by choosing easy-to-guess passwords. They also leave passwords, even in encrypted form, in places where intruders can get at them. Mixing NT Challenge/Response authentication with LM authentication in order to accommodate older Windows clients can also make life easier for intruders. NT passwords can be up to 14 characters long, are case-sensitive, and can include a wide variety of extended characters. As we discussed earlier, NT creates a hash of the password and stores that hash as part of the user's security information in the SAM. NT uses the case-sensitive version of the password for user authentication involving only NT workstations and servers. But it can also maintain backward compatibility with the older LAN Manager authentication process used by Windows 3.1, Windows for Workstation, and Windows 95 clients. To support older Windows clients, NT Server converts the password to all caps, and then creates a cryptographic hash of it. NT Server then stores this "LAN Manager version" of the password in the SAM along with the NT version of the password, thereby making the password easier to guess.