Many websites and services advise you use a character with a minimum of eight characters with a mix of upper and lowercase, numbers and special characters.
That's been the norm for passwords for years now. Unfortunately for you, that "complex" password can be cracked in hours.
HashCat, which is an open source password recovery tool, has just displayed the ability to crack an eight-character Windows NTLM password hash in under 2.5 hours. That's less time than it would take you to watch the Avengers: Infinity War movie.
One of the cybersecurity researchers behind the project posted to Twitter yesterday, detailing their custom password-cracking build. They used a version of the 6.0.0 HashCat beta, coupled to eight Nvidia GTX 2080Ti GPUs in an offline attack.
Also Read:?Your Hacked Facebook Account Logins Are Being Sold On The Dark Web For As Low As Rs 220
"Eight character passwords are dead," Tinker proclaimed.
?
So a few clarifications here. NTLM is an old Windows authentication protocol that's since been replaced. However, Tinker claims that it's still used to store Windows passwords locally.
This is bad enough before you even consider Internet guidelines. While some sites like Google and Microsoft demand a minimum eight-character password, others like Facebook and Twitter only insist on six characters. The complexity of your password only randomizes it so a person guessing can't accidentally hit on the answer. For a cracking system using brute force however, it doesn't even slow it down that much.
That's why, Tinker says, a better password would be five random words (about four or five characters each) strung together to become a 20-character password.
?
Enforcing capitalisation and special characters ?makes a password harder for the user to remember, so they then usually pick the minimum length required thinking they're safe behind the "complexity" of it.
Your best bet then is using a reliable password manager and selecting the maximum password length allowed. Barring that, maybe instead start using passwords like "greencrazytigerbuilding" or some such, and back it up with two factor authentication.
ALSO READ:?'123456' & 'Password' Are Worst Passwords Of 2018, Sitting Top Of The List For Past Three Years