~=8 Character Passwords Are Dead=~

New benchmark from the Hashcat Team shows a 2080Ti GPU passing 100 Billion password guesses per second (NTLM hash).

This means that the entire keyspace, or every possible combination of:
- Upper
- Lower
- Number
- Symbol

...of an 8 character password can be guessed in:

~2.5 hours

(8x 2080Ti GPUs against NTLM Windows hash)

@kaniini @tinker

NTLM is just a very shitty hash. Any remotely modern and safe password hash would still be way too much for the 8 character space.

Also, a single 💩 emoji is probably a safe password, because nobody tests for that, lol.

@rugk @shibayashi @kaniini - NTLM most certainly is dead (even for 9char passwords). But 8char passwords are dead across a wide variety of hash types, even slow hash types that push out the crack time for the entire keyspace to a couple of weeks. Still within many attacker's time and resource budget.

The current @discourse.org default password policy is 10 chars for user accounts, 15 chars for admins, 200 max. (PBKDF2) A good policy for general adoption imo
@kaniini @shibayashi @rugk
Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.