Broken news that HashCat, an open source password recovery tool, can now crack an eight-character Windows NTLM password hash in under 2.5 hours. This comes not long after the news that 620 million hacked accounts went on sale on the dark web.
In a Twitter post on Wednesday, those behind the software project said a hand-tuned build of the version 6.0.0 HashCat beta, utilising eight Nvidia GTX 2080Ti GPUs in an offline attack, exceeded the NTLM cracking speed benchmark of 100GH/s (gigahashes per second).
Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs • The Register https://t.co/tDgIVvURtc
— VeganBigBro KPSS Ⓥ 🌻🌱 (@VeganBigBro) February 15, 2019
Expert Comments below:
Naaman Hart, Cloud Services Security Architect at Digital Guardian:
“In an ideal world we’d move beyond passwords and on to something that is unique to you as a person, biometrics as an example. However even where this is possible your bio data is generally just used to ‘unlock’ a password in a database. It all comes back to passwords and that needs to change.
“In the meantime, two-factor authentication should be used and systems should alert the end user when a password check is passed and a subsequent two-factor check is failed or abandoned. This would allow the end user to know that their password is compromised so they can change it to ensure both parts of the authentication are secure.
“In terms of NTLM bruteforcing to which this article relates, the NTLM method has long been shelved in favour of the newer Kerberos and it’s improved algorythm. To crack Kerberos eight character passwords takes a significantly longer time than with NTLM. Yes there are some NTLM stores that should be guarded such as the NTDS.dit file stored locally on each Domain Controller but the passwords required to get local access to those is Kerberos protected generally.”