~=8 Character Passwords Are Dead=~

New benchmark from the Hashcat Team shows a 2080Ti GPU passing 100 Billion password guesses per second (NTLM hash).

This means that the entire keyspace, or every possible combination of:
- Upper
- Lower
- Number
- Symbol

...of an 8 character password can be guessed in:

~2.5 hours

(8x 2080Ti GPUs against NTLM Windows hash)

@tinker Guessing passwords where? On a compressed file? A website login? A remote service? What was it guessing passwords for?

Bruteforce doesnt always work the way you expect it to.

@proxeus - This is for an offline attack where a cracker has access to the password hash. Results are consistent.

@tinker Basically local encrypted data such an encrypted file, an encrypted partition, etc. I supposed that would be the case.

Using 8 character passwords for these has never been safe and using 12 is still unsafe even if it takes a little bit longer (but someone that dedicates his/her life to this probably has access to even better hardware than that).

And even if you used 32 or more, there are other ways of decrypting these in a reasonable amount of time. So I'd say, choose carefully what you encrypt and specially how you encrypt it, to make it as difficult as possible to decrypt it.
Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.