If the password is 15 characters or longer, Windows stores encrypted padding for that user's hash. What is the effect?

When a password is 15 characters or longer, Windows adds an encrypted padding block to the stored credential. This padding isn’t the password or a straightforward hash; it’s extra data that helps validate the credential in a way that is tied to the system’s secret. Because that padding is encrypted and effectively bound to the user/system, someone who dumps the credential data can’t use the stored value to perform offline password guesses. They can’t reproduce the correct padding or verify candidate passwords without the decryption key, so the hash becomes impractical or useless for an attacker. This protection does not reveal the password or store anything in cleartext—the goal is to prevent offline cracking of long passwords.