How secure is NT authentication?

1) NT authentication can be used to allow or disallow access to a particular application. If that application has the proper hooks, it can use that same information to control access within the application. However, in many cases the applications have no such capability. Thus, this really isn't an "either/or" situation. It really depends on how tightly an application is integrated with the underlying OS security mechanisms whether or not single sign-on is even possible.

2) Prior to SP4 (service pack 4), Windows NT routinely used a LAN manager hash along with the NT hash. The LAN manager algorithms are significantly weaker than the NT algorithms and are used for backwards compatibility with Win98, Win95, Win 3.1 and even DOS. The two hashes were derived from the two halves of the NT password. An attacker could use the information gained from breaking the weaker LAN manager password to break the stronger NT password hash. In an environment that is all NT and Win2K, it is possible to disable the LAN manager passwords. See this Microsoft article.

3) You are not too paranoid over the use of passwords in general (not just NT). Users routinely pick poor passwords. You can use NT tools to set maximum and minimum password lengths, time between changes and other settings. You can also use the NSA guidelines for securing Windows NT. Check out their online info here. That NSA page also has guides for Win2K, WinXP, Cisco Routers and more. In addition, to increase security, you should consider alternative authentication systems such as those that use tokens (smart cards and other devices), public key certificates or biometrics. There are also third-party tools to help with the single sign-on problem.