~=8 Character Passwords Are Dead=~

New benchmark from the Hashcat Team shows a 2080Ti GPU passing 100 Billion password guesses per second (NTLM hash).

This means that the entire keyspace, or every possible combination of:
- Upper
- Lower
- Number
- Symbol

...of an 8 character password can be guessed in:

~2.5 hours

(8x 2080Ti GPUs against NTLM Windows hash)

#Hacking #Infosec

@tinker Isn't NTLM hashes very weak, fast to compute?

With a traditional hash function, along with some reasonable number of rounds of PBKDF2 and 8 character passwords are still definitely viable.

@loke - Don’t think so... even slow hashes may take days at maximum. Still within an attacker’s time budget. Benchmarks will tell for certain though!

Follow

@tinker
With the right number of iterations you can make the hashing take any time you want. If you set it to take a significant fraction of a second you can make even shorter passwords safe.

Sign in to participate in the conversation
Functional Café

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!