~=8 Character Passwords Are Dead=~

New benchmark from the Hashcat Team shows a 2080Ti GPU passing 100 Billion password guesses per second (NTLM hash).

This means that the entire keyspace, or every possible combination of:
- Upper
- Lower
- Number
- Symbol

...of an 8 character password can be guessed in:

~2.5 hours

(8x 2080Ti GPUs against NTLM Windows hash)

@tinker those were never good passwords to begin with, but how do you counter this without changing password habits? after all moore's law will make longer and longer passwords crackable

@DJWalnut @tinker the key derivation / hashing functions get more time-consuming, too. if you open a recently created keepass file, it will take several seconds to open on rather old computers.

has some good bits in regard to that!

@DJWalnut - I recommend passphrases of five words. Easy for a person to remember, harder to crack.

Ideally use a password manager and inplement multifactor authentication every where you can.

@tinker @DJWalnut Yup. Mutate a 5+ word sentence. And maybe hash a memorable phrase and paste that in. (Heavily deters decrypting the database, but less useful in a MITM.)



Don't reuse passwords, this attack is based on the machine already being compromised.

Xkcd style passwords, 4+ random words.

If you have control over it, slow down the hashing to the maximum time you want to wait for a login to validate.

For remote attacks, limit the amount of tries per time window

@tinker does this take into account that trying a password isn't always instant tho
It will go into years if you factor that in

@piggo @tinker also doesn't Windows lock down your account after a certain number of failed tries? Or is this just for machines in an AD with policies regarding that

@Siphonay @piggo - Those are protections against online attacks. This is an offline attack where a cracker gets access to the hash first and then moves the hash onto their own computers to crack.

@piggo - This is the attempt rate against NTLM hashes in an offline attack. So you can attempt 800 Billion guesses per secone in the setup I described. You will go through every possible combination of an 8 character password (using characters that are found on standard keyboards) in less than 2 and a half hours.

@tinker Isn't NTLM hashes very weak, fast to compute?

With a traditional hash function, along with some reasonable number of rounds of PBKDF2 and 8 character passwords are still definitely viable.

@loke - Don’t think so... even slow hashes may take days at maximum. Still within an attacker’s time budget. Benchmarks will tell for certain though!

With the right number of iterations you can make the hashing take any time you want. If you set it to take a significant fraction of a second you can make even shorter passwords safe.

@tinker is there any source where I could read more about it?
Holy crap.

I got change my 8 characters password.

Password is '12345678'

I better hurry now


@tleydxdy - I dont have an accurate benchmark, but I’d estimate several hours to a day or two at max.

@tinker but iirc passwords in shadow are hashed 5000 times by default, and you can change it to 65535 if you like. Not that 8 char password is a good idea, just saying.
@tinker Guessing passwords where? On a compressed file? A website login? A remote service? What was it guessing passwords for?

Bruteforce doesnt always work the way you expect it to.

@proxeus - This is for an offline attack where a cracker has access to the password hash. Results are consistent.

@tinker Basically local encrypted data such an encrypted file, an encrypted partition, etc. I supposed that would be the case.

Using 8 character passwords for these has never been safe and using 12 is still unsafe even if it takes a little bit longer (but someone that dedicates his/her life to this probably has access to even better hardware than that).

And even if you used 32 or more, there are other ways of decrypting these in a reasonable amount of time. So I'd say, choose carefully what you encrypt and specially how you encrypt it, to make it as difficult as possible to decrypt it.

@tinker I get 18.5 hours for full search (half of it on average):

# exp (8. *. log 95.) /. 100e9 /. 36e2 ;;
- : float = 18.4283453135850586

More than ~2.5 hours… but of course nevertheless.

OTOH, in Windows one doesn't need to brute-force that much… Would be more interesting to test e.g. crypt(3).

@tinker Also, an interesting question along these lines: should one use longer passwords (12 of ASCII7 or 24 decimal digits) to log into sites? (As opposed to local storage encryption.) I'd say, yes, because the sites should store the users data properly encrypted in their databases, and the users, in their turn, should use strong enough keys, so the hassle is worth it.

@tinker Is there a link for that I can put into other social sites?

@cbowdon - In every corporate environment I’ve ever hacked.

@tinker my main disappointment with people demonstrating has strength on NTLM hashes is the same as when a pen tester tells me they got my /etc/passwd file. That hasn’t been an important security control for decades. It’s like cracking single DES passwords from 1974 unix systems. If, in 2019, NTLM hashes are protecting something important to someone, the fact that they are easier to crack is not their big problem.

@paco - If they got access to /etc/passwd file that you were using and used it to privilege escalate or make lateral movements, then I’d imagine you’d care.

Similar with corporate environments who use NTLM for localhost password storage or Active Directory authentication and have a corporate policy that allows for a minimum of eight character passwords.

This matters precisely because it is still in widespread use.

@tinker The case against NTLM was made a decade ago. The fact that it went from double digit hours to single digit hours isn’t going to motivate someone who wasn’t motivated by all the other sound reasoning. As I said, if they are knowledgable of the risks, and yet somehow still comfortable running NTLM, this isn’t going to change their mind.

@tinker @ella_kane My web host allows really long passwords which is great. Mine is 99 characters long.

But I’m still coming across websites who flip out if you go more than 13 characters.

One example, not a website, but you can’t log in to Xbox360 if your Microsoft account password is more than 13 characters I think. It might even be less >:(

@hirojin @tinker @ella_kane I dunno I just know I can’t log in to play Fable because my password is too long -_-

Emoji passwords to the rescue!!!

User: Admin
Password: ⌨️1️⃣2️⃣3️⃣4️⃣#️⃣😁👍

@tinker can I get a new standard or does that mean there's just no way to not get cracked? 20 charcaters? what?

@Wewereseeds @tinker ie you're better off using a passphrase than choosing eight random characters.

@tinker so what is the risk to a home laptop? Someone would have to physically gain access? How would my laptop pw hash be captured for hacking?

@donblanco - As long as its encrypted, you’re fine. For home networks, make sure your wifi password is long.

@tinker so are login passwords on linux typically hashed or encrypted?

@tinker Leaked hashed passwords have been considered nearly equivalent to plaintext for quite a while now. 8 character passwords are dead for anything that could be subject to an offline attack, but for the most part anything that could be subject to an offline attack is broken anyway. 8 character passwords are still fine for anything that's not likely to be subjected to an offline attack.

As long as they don't get the general and per account salt ...


But this is offline ... On online passwords are more variables involved

@tinker In order to have a hash offline, doesn't this mean that some other system has to be breached in the first place? or MITM? This seems to be something interesting in the lab, but a more rare threat in the wild.

@tinker so my 24 string of random letters and numbers is also probably not that safe?
@kaniini @tinker

NTLM is just a very shitty hash. Any remotely modern and safe password hash would still be way too much for the 8 character space.

Also, a single 💩 emoji is probably a safe password, because nobody tests for that, lol.
@tinker that's scary. brute forcing will be virtually a thing of the past.
Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.