@tinker my main disappointment with people demonstrating has strength on NTLM hashes is the same as when a pen tester tells me they got my /etc/passwd file. That hasn’t been an important security control for decades. It’s like cracking single DES passwords from 1974 unix systems. If, in 2019, NTLM hashes are protecting something important to someone, the fact that they are easier to crack is not their big problem.
@paco - If they got access to /etc/passwd file that you were using and used it to privilege escalate or make lateral movements, then I’d imagine you’d care.
Similar with corporate environments who use NTLM for localhost password storage or Active Directory authentication and have a corporate policy that allows for a minimum of eight character passwords.
This matters precisely because it is still in widespread use.
@tinker The case against NTLM was made a decade ago. The fact that it went from double digit hours to single digit hours isn’t going to motivate someone who wasn’t motivated by all the other sound reasoning. As I said, if they are knowledgable of the risks, and yet somehow still comfortable running NTLM, this isn’t going to change their mind.
A Mastodon instance for info/cyber security-minded people.