~=8 Character Passwords Are Dead=~

New benchmark from the Hashcat Team shows a 2080Ti GPU passing 100 Billion password guesses per second (NTLM hash).

This means that the entire keyspace, or every possible combination of:
- Upper
- Lower
- Number
- Symbol

...of an 8 character password can be guessed in:

~2.5 hours

(8x 2080Ti GPUs against NTLM Windows hash)

#Hacking #Infosec

@tinker Isn't NTLM hashes very weak, fast to compute?

With a traditional hash function, along with some reasonable number of rounds of PBKDF2 and 8 character passwords are still definitely viable.

@loke - Don’t think so... even slow hashes may take days at maximum. Still within an attacker’s time budget. Benchmarks will tell for certain though!


With the right number of iterations you can make the hashing take any time you want. If you set it to take a significant fraction of a second you can make even shorter passwords safe.

Sign in to participate in the conversation
Functional Café

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!