~=8 Character Passwords Are Dead=~

New benchmark from the Hashcat Team shows a 2080Ti GPU passing 100 Billion password guesses per second (NTLM hash).

This means that the entire keyspace, or every possible combination of:
- Upper
- Lower
- Number
- Symbol

...of an 8 character password can be guessed in:

~2.5 hours

(8x 2080Ti GPUs against NTLM Windows hash)

@tinker those were never good passwords to begin with, but how do you counter this without changing password habits? after all moore's law will make longer and longer passwords crackable

@DJWalnut @tinker the key derivation / hashing functions get more time-consuming, too. if you open a recently created keepass file, it will take several seconds to open on rather old computers.

has some good bits in regard to that!

@DJWalnut - I recommend passphrases of five words. Easy for a person to remember, harder to crack.

Ideally use a password manager and inplement multifactor authentication every where you can.

@tinker @DJWalnut Yup. Mutate a 5+ word sentence. And maybe hash a memorable phrase and paste that in. (Heavily deters decrypting the database, but less useful in a MITM.)

@tinker does this take into account that trying a password isn't always instant tho
It will go into years if you factor that in

@piggo @tinker also doesn't Windows lock down your account after a certain number of failed tries? Or is this just for machines in an AD with policies regarding that

@Siphonay @piggo - Those are protections against online attacks. This is an offline attack where a cracker gets access to the hash first and then moves the hash onto their own computers to crack.

@piggo - This is the attempt rate against NTLM hashes in an offline attack. So you can attempt 800 Billion guesses per secone in the setup I described. You will go through every possible combination of an 8 character password (using characters that are found on standard keyboards) in less than 2 and a half hours.

@tinker Isn't NTLM hashes very weak, fast to compute?

With a traditional hash function, along with some reasonable number of rounds of PBKDF2 and 8 character passwords are still definitely viable.

@loke - Don’t think so... even slow hashes may take days at maximum. Still within an attacker’s time budget. Benchmarks will tell for certain though!

With the right number of iterations you can make the hashing take any time you want. If you set it to take a significant fraction of a second you can make even shorter passwords safe.

@tinker is there any source where I could read more about it?
Holy crap.

I got change my 8 characters password.

Password is '12345678'

I better hurry now


@cbowdon - In every corporate environment I’ve ever hacked.

@tinker my main disappointment with people demonstrating has strength on NTLM hashes is the same as when a pen tester tells me they got my /etc/passwd file. That hasn’t been an important security control for decades. It’s like cracking single DES passwords from 1974 unix systems. If, in 2019, NTLM hashes are protecting something important to someone, the fact that they are easier to crack is not their big problem.

@paco - If they got access to /etc/passwd file that you were using and used it to privilege escalate or make lateral movements, then I’d imagine you’d care.

Similar with corporate environments who use NTLM for localhost password storage or Active Directory authentication and have a corporate policy that allows for a minimum of eight character passwords.

This matters precisely because it is still in widespread use.

@tinker The case against NTLM was made a decade ago. The fact that it went from double digit hours to single digit hours isn’t going to motivate someone who wasn’t motivated by all the other sound reasoning. As I said, if they are knowledgable of the risks, and yet somehow still comfortable running NTLM, this isn’t going to change their mind.

@tinker @ella_kane My web host allows really long passwords which is great. Mine is 99 characters long.

But I’m still coming across websites who flip out if you go more than 13 characters.

One example, not a website, but you can’t log in to Xbox360 if your Microsoft account password is more than 13 characters I think. It might even be less >:(

Emoji passwords to the rescue!!!

User: Admin
Password: ⌨️1️⃣2️⃣3️⃣4️⃣#️⃣😁👍

@tinker so what is the risk to a home laptop? Someone would have to physically gain access? How would my laptop pw hash be captured for hacking?

@donblanco - As long as its encrypted, you’re fine. For home networks, make sure your wifi password is long.

@tinker so are login passwords on linux typically hashed or encrypted?

But this is offline ... On online passwords are more variables involved

@tinker In order to have a hash offline, doesn't this mean that some other system has to be breached in the first place? or MITM? This seems to be something interesting in the lab, but a more rare threat in the wild.

@tinker so my 24 string of random letters and numbers is also probably not that safe?
@tinker that's scary. brute forcing will be virtually a thing of the past.

@tinker this is why you can only enter 3 passwords at a time on some operating systems.

What about a 1 second delay between login attempts? Will ruin your calculation...

@tinker but the amount of work to check a password can be increased a lot. It just has to not take too long to inconvenience the user when logging in.

@waterbear - Yeah.... yeah. Think they are. Even on slow hashes that push it out to a couple of days to even a couple of weeks. That's still within many attackers' budgets.

Problems are the sites that have stupid passwords length limits lower and upper limits with even limited characters set! 🤬

@tinker But this is only if you have physical access to the machine. Remote logins usually add a delay to prevent repeated password searches. A three second delay after the first failed login would reduce bruteforce attempts to 28800 guesses per day.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.