~=8 Character Passwords Are Dead=~

New benchmark from the Hashcat Team shows a 2080Ti GPU passing 100 Billion password guesses per second (NTLM hash).

This means that the entire keyspace, or every possible combination of:
- Upper
- Lower
- Number
- Symbol

...of an 8 character password can be guessed in:

~2.5 hours

(8x 2080Ti GPUs against NTLM Windows hash)

#Hacking #Infosec

Follow

@tinker those were never good passwords to begin with, but how do you counter this without changing password habits? after all moore's law will make longer and longer passwords crackable

@DJWalnut @tinker the key derivation / hashing functions get more time-consuming, too. if you open a recently created keepass file, it will take several seconds to open on rather old computers.

gitlab.com/cryptsetup/cryptset

has some good bits in regard to that!

@DJWalnut - I recommend passphrases of five words. Easy for a person to remember, harder to crack.

Ideally use a password manager and inplement multifactor authentication every where you can.

@tinker @DJWalnut Yup. Mutate a 5+ word sentence. And maybe hash a memorable phrase and paste that in. (Heavily deters decrypting the database, but less useful in a MITM.)

@DJWalnut

@tinker

Don't reuse passwords, this attack is based on the machine already being compromised.

Xkcd style passwords, 4+ random words.

If you have control over it, slow down the hashing to the maximum time you want to wait for a login to validate.

For remote attacks, limit the amount of tries per time window

Sign in to participate in the conversation
The Vulpine Club

The Vulpine Club is a friendly and welcoming community of foxes and their associates, friends, and fans! =^^=