All NTLM passwords that only count eight characters or less can be cracked in hours without the need for exceptional hardware. The use of special characters is not relevant.
It takes less time to crack an eight-character NTLM password than to commute from Ostend to Brussels during a rainy rush hour. Researchers at Hashcat, a tool for retrieving forgotten passwords (or cracking passwords you never knew) combined their software with a powerful computer and found that it takes a maximum of 2.5 hours to guess such a password.
Unsafe protocol
The NTLM password protocol, used by Microsoft for network access to Active Directory and Windows systems, among others, has been known for almost a decade to use too simple an implementation of hash functions, allowing a brutal force attack. Microsoft has already addressed this problem with Kerberos: a more robust standard. However, NTLM is still supported.
hand-tuned hashcat 6.0.0 beta and 2080Ti (stock clocks) breaks NTLM cracking speed mark of 100GH/s on a single compute device pic.twitter.com/aVRMpbap4H
hashcat (@hashcat) February 13, 2019
The Hashcat researchers ran their program on a system with eight Nvidia GeForce 2080Ti-gpus. Thanks to the hardware, the software reached a speed of more than 100 gigahashes per second. At that speed, it took up to several hours to crack an eight-character password, regardless of its complexity.
Minimum length
Eight characters were not chosen by chance as the length. Most websites use eight as the minimum password length, and most users do not deviate too far from that minimum. There is still a perception that it is a good idea to choose complex passwords. Many websites even require you to put uppercase, lowercase, numbers and special characters in one password. The result is hard to remember things like T3chZ! Such passwords are only difficult for the people who have to remember them, but are easily guessed by machines.
Even when passwords use safer protocols from NTLM, eight characters is no longer sufficient. Instead of a few hours, it quickly takes a few days to carry out a brute force attack, but with the computing power available from the cloud today, that hurdle is also easy to take.
Secure password
It’s much safer to use a passphrase. The length is what determines the security of your password, not the number of complex characters. No hacker will panic because you’ve had the brilliant urge to put an ampersand in his password. Years ago, Xkcd explained in a very understandable way what exactly the best practices for a secure password are. What was right then is more relevant today than ever.
Do you have important passwords of eight characters? Then consider changing them. A password manager can help you to generate long safe passphrases, but you can also get started yourself. The example above shows that it doesn’t have to be more difficult to remember a long password. Of course, other security tips remain relevant as well: make sure your password is random, and activate two-factor authentication where possible.
Related: These are the 25 worst passwords of 2018
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.