
Hashcat 6 with 8 x 2080ti cracks 8-character passwords in 2:30h on benchmarks - drexlspivey
https://twitter.com/TinkerSec/status/1096046635593928704
======
burk96
Does it matter what encryption was used for the passwords? I'm really lacking
on the subject. Impressive results nonetheless.

Also besides using a longer password, is there anything else that can be done
to harden my passwords?

~~~
jandrese
The tweet was about NTLM, so presumably MD4, but other common hash algorithms
are likely only going to add a few hours to the result at this point. This
wasn't some crazy amount of hardware either. A more modest single GPU setup
could still crack the password in less than a day.

~~~
ShorsHammer
> other common hash algorithms are likely only going to add a few hours

Hash algorithms or password hash algorithms? Because if the former I'd
completely disagree, it would be closer to hundreds of years with a modern
algorithm like Argon or even old stalwarts like Bcrypt with higher cost
parameters.

The twitter statement is ridiculous, password length isn't the problem here,
it's poorly secured credentials, was under the impression that NTLM was
deprecated anyway?

Edit: Going off this benchmark[0] of 19000 H/s for a single 2080 crunching
bcrypt. The keyspace for alphanumeric(62) + password symbols(23) with 8
characters = 85^8 = 2.72 x 10^15

@19000 H/s it will take 143416065810 seconds to go through every permutation.
So around 4547 years worst case scenario. Add 7 more GPU's like in the OP's
rig and that's 568 years.

The birthday problem doesn't apply here to finding a _specific password_ so on
average looking at 284 years with 8x 2080 GPU's.

All modern algo's from the last Password Hashing Competition were designed to
be memory hard (or at least offer it as a parameter) to resist GPU attacks and
would be pushing these numbers up a magnitude or two.

8 character passwords aren't dead.

[0]
[https://gist.github.com/Chick3nman/d03c0d696699af2886c340425...](https://gist.github.com/Chick3nman/d03c0d696699af2886c3404256801a9e)

~~~
tinus_hn
Back in the real world you don’t get to choose any of these fancy hashes when
implementing an Active Directory.

------
heyjudy
Just use that GPU power to generate rainbowtables once which then can use the
space/time tradeoff to perpetually find passwords in seconds without a GPU.
Bruteforcing one hash at a time is pointlessly wasteful if you have the
storage.

~~~
drexlspivey
Except under standard industry practices each hashed password has a unique
salt.

~~~
ahakki
How much storage would hashing every combo with every salt take? Is it still
possible?

~~~
drexlspivey
A rainbow table for 8 chars would be 50-100 TB. If you add a 8-byte salt to
each password multiply that number with 256^8

~~~
heyjudy
NTLM doesn't use a salt. It's 128 bits. That's within the realm of nation
states and there's at least one public sparse NTLM rainbow table. And I said,
"if you have the storage," which you dishonestly ignored. Nice try, bucko. Got
any more red herrings that aren't relevant?

