Password hashes are kept in a security database (SAM - security account manager) in \Windows-directory\system32\config\SAM; file is locked when NT is running
Copy of password file is copied into the Windows-directory\repair folder
NT uses two hash algorithms to encrypt passwords
NT hash - password converted to Unicode and then run through MD4 hash algorithm to obtain a 16-byte value
LAN Manager hash - password padded with 0's up to length of 14 characters, converted to uppercase, split into two 7-character pieces. Each half is encrypted using 8-byte DES (data encryption standard) keys. Result is combined into a 16-byte, one-way hash value.
Passwords are not randomized with a salt value (hence you only have to crack the same password for two users once)