Broken news that HashCat, an open source password recovery tool, can now crack an eight-character Windows NTLM password hash in under 2.5 hours. This comes not long after the news that 620 million hacked accounts went on sale on the dark web.
In a Twitter post on Wednesday, those behind the software project said a hand-tuned build of the version 6.0.0 HashCat beta, utilising eight Nvidia GTX 2080Ti GPUs in an offline attack, exceeded the NTLM cracking speed benchmark of 100GH/s (gigahashes per second).
Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs • The Register https://t.co/tDgIVvURtc
— BigBroVegan🌻🇪🇺Ⓥ (@BigBroVegan) February 15, 2019
Expert Comments below:
Naaman Hart, Cloud Services Security Architect at Digital Guardian:
“Longer passwords take longer to crack with brute force methods, this is obvious. However, studies show that forcing frequent password changes and increased length reduces the uniqueness of each password as end users will typically just append or prepend a special character or set of characters to their standard password. Repeated characters also reduce the time it takes to brute force them. Where their password is too short in general then we see a lot of people using ‘companyname1’ then ‘companyname2’ on the next expiration. Ultimately passwords are fallible and they should be backed up by two-factor authentication wherever possible.
“In an ideal world we’d move beyond passwords and on to something that is unique to you as a person, biometrics as an example. However even where this is possible your bio data is generally just used to ‘unlock’ a password in a database. It all comes back to passwords and that needs to change.
“In the meantime, two-factor authentication should be used and systems should alert the end user when a password check is passed and a subsequent two-factor check is failed or abandoned. This would allow the end user to know that their password is compromised so they can change it to ensure both parts of the authentication are secure.
“In terms of NTLM bruteforcing to which this article relates, the NTLM method has long been shelved in favour of the newer Kerberos and it’s improved algorythm. To crack Kerberos eight character passwords takes a significantly longer time than with NTLM. Yes there are some NTLM stores that should be guarded such as the NTDS.dit file stored locally on each Domain Controller but the passwords required to get local access to those is Kerberos protected generally.”