Hashcat-logo  - Hashcat logo - 8-Character Windows NTLM Passwords Can Be Cracked In Under 2.5 Hours

BeauHD posted in Slashdot: “HashCat, an open-source password recovery tool, can now crack an eight-character password hash in less than 2.5 .

“Current password cracking benchmarks show that the minimum eight character password, no matter how complex, can be in less than 2.5 hours” using a hardware rig that utilizes eight Nvidia GTX 2080Ti GPUs, explained a hacker who goes by the pseudonym Tinker on Twitter in a DM conversation with The Register. “The eight character password is dead.” From the report: It’s dead at least in the context of hacking attacks on organizations that rely on Windows and Active Directory.

NTLM is an old authentication protocol that has since been replaced with Kerberos. According to Tinker, it’s still used for storing Windows locally or in the NTDS.dit file in Active Directory Domain Controllers.

Tinker estimates that buying the GPU power described would require about $10,000; others have claimed the necessary computer power to crack an eight-character NTLM password hash can be rented in Amazon’s cloud for just $.

NIST’s latest guidelines say passwords should be at least eight characters long. Some online service providers don’t even demand that much. When security researcher Troy Hunt examined the minimum password lengths at various websites last year, he found that while , Microsoft and Yahoo set the bar at eight, Facebook, LinkedIn and Twitter only required six.

Tinker said the eight character password was used as a benchmark because it’s what many organizations recommend as the minimum password length and many corporate IT policies reflect that guidance. So how long is long enough to sleep soundly until the next technical advance changes everything?

Tinker recommends a random five- passphrase, something along the lines of the four- example popularized by online comic XKCD.That or whatever maximum length random password via a password management app, with two-factor authentication enabled in either case.

That is by the way exactly what KnowBe4’s Chief Hacking Officer Kevin Mitnick has been saying for the last few years now. Train your employees to create a short passphrase that take years to crack.


Find out how affordable new-school security awareness training is for your organization. Get a quote now.

 

Get A Quote  - a8252926 7187 4c02 9dd4 933c17d712b1 - 8-Character Windows NTLM Passwords Can Be Cracked In Under 2.5 Hours
Request A Demo  - 2af0f76d 67ca 4454 9896 5cb1da9b1f50 - 8-Character Windows NTLM Passwords Can Be Cracked In Under 2.5 Hours

 



Source link
Based Blockchain Network

LEAVE A REPLY

Please enter your comment!
Please enter your name here