
8-Character Windows NTLM Passwords Can Be Cracked in Under 2.5 Hours - nadalizadeh
https://www.theregister.co.uk/2019/02/14/password_length/
======
nadalizadeh
HashCat, an open-source password recovery tool, can now crack an eight-
character Windows NTLM password hash in less than 2.5 hours. "Current password
cracking benchmarks show that the minimum eight character password, no matter
how complex, can be cracked in less than 2.5 hours" using a hardware rig that
utilizes eight Nvidia GTX 2080Ti GPUs, explained a hacker who goes by the
pseudonym Tinker on Twitter in a DM conversation with The Register. "The eight
character password is dead." From the report:

It's dead at least in the context of hacking attacks on organizations that
rely on Windows and Active Directory. NTLM is an old Microsoft authentication
protocol that has since been replaced with Kerberos. According to Tinker, it's
still used for storing Windows passwords locally or in the NTDS.dit file in
Active Directory Domain Controllers. It's dead at least in the context of
hacking attacks on organizations that rely on Windows and Active Directory.
NTLM is an old Microsoft authentication protocol that has since been replaced
with Kerberos. Tinker estimates that buying the GPU power described would
require about $10,000; others have claimed the necessary computer power to
crack an eight-character NTLM password hash can be rented in Amazon's cloud
for just $25.

NIST's latest guidelines say passwords should be at least eight characters
long. Some online service providers don't even demand that much. When security
researcher Troy Hunt examined the minimum password lengths at various websites
last year, he found that while Google, Microsoft and Yahoo set the bar at
eight, Facebook, LinkedIn and Twitter only required six. Tinker said the eight
character password was used as a benchmark because it's what many
organizations recommend as the minimum password length and many corporate IT
policies reflect that guidance. So how long is long enough to sleep soundly
until the next technical advance changes everything? Tinker recommends a
random five-word passphrase, something along the lines of the four-word
example popularized by online comic XKCD, "correcthorsebatterystaple." That or
whatever maximum length random password via a password management app, with
two-factor authentication enabled in either case.

