Return to the list of client alerts
Hashcat, the free, open source password cracking tool can crack any 8 character or less Windows NTLM password in less time than it takes to watch the Avengers movie.
In a Twitter post this month, those behind the Hashcat project said that a hand tuned machine running the beta version of Hashcat 6 and eight Nvidia GPUs could calculate 100 billion hashes a second.
Using simple math, that means that all of the possible combinations of 8 characters can be checked in less than 2.5 hours.
While NTLM is the old password authentication protocol, replaced a while back by Kerberos authentication, the NTLM “hashes” are still available on Windows networks and systems for backward compatibility.
If you don’t want to pay the $10,000 for a system like the one above, do not worry. You can buy the time needed to crack a password on Amazon for about $25.
Worse yet, some services, like Facebook, allow you to create even shorter passwords. That may not be as risky as it sounds though because while the rig above can calculate 100 billion Windows hashes a second, Facebook probably uses a different algorithm (probably!). That rig could only calculate 118,000 bcrypt because it was specifically designed to thwart these types of attacks.
So how long is good? A passphrase is best. The comics have popularized the passphrase correcthorsebatterystaple . Obviously, don’t use that one, but one with three or four or even five words that mean something to you and no one else is optimal.
And of course, if you use a password manager like LastPass, you can tell it to make crazy long random passwords because you never have to remember it or type it.
For now, the biggest risk is to Windows users. Use passwords longer than 8 characters. Source: The Register.