"Stop Using 8 Character Passwords" Say Researchers, As They Can Be Guessed In Just 2.5 Hours
Many websites and services advise you use a character with a minimum of eight characters with a mix of upper and lowercase, numbers and special characters. Unfortunately for you, that ¡°complex¡± password can be cracked in mere hours.
Many websites and services advise you use a character with a minimum of eight characters with a mix of upper and lowercase, numbers and special characters.
That's been the norm for passwords for years now. Unfortunately for you, that "complex" password can be cracked in hours.
HashCat, which is an open source password recovery tool, has just displayed the ability to crack an eight-character Windows NTLM password hash in under 2.5 hours. That's less time than it would take you to watch the Avengers: Infinity War movie.
One of the cybersecurity researchers behind the project posted to Twitter yesterday, detailing their custom password-cracking build. They used a version of the 6.0.0 HashCat beta, coupled to eight Nvidia GTX 2080Ti GPUs in an offline attack.
Also Read: Your Hacked Facebook Account Logins Are Being Sold On The Dark Web For As Low As Rs 220
"Eight character passwords are dead," Tinker proclaimed.
If you have a perfectly random eight character password with upper, lower, number and symbol, it will be cracked in (on average), 1 hour and 15 minutes.
¡ª Tinker ? (@TinkerSec) February 14, 2019
If you choose a common schema, such as word or name, capitalize the first letter, followed number, it¡¯ll be cracked instantly.
So a few clarifications here. NTLM is an old Windows authentication protocol that's since been replaced. However, Tinker claims that it's still used to store Windows passwords locally.
This is bad enough before you even consider Internet guidelines. While some sites like Google and Microsoft demand a minimum eight-character password, others like Facebook and Twitter only insist on six characters. The complexity of your password only randomizes it so a person guessing can't accidentally hit on the answer. For a cracking system using brute force however, it doesn't even slow it down that much.
That's why, Tinker says, a better password would be five random words (about four or five characters each) strung together to become a 20-character password.
Ideally use a password manager with random passes at max character length and multifactor authentication.
¡ª Tinker ? (@TinkerSec) February 14, 2019
Otherwise a five word passphrase (random words), all lower case, no weird symbols (easy to memorize) is good too! (Still use MFA).
Enforcing capitalisation and special characters makes a password harder for the user to remember, so they then usually pick the minimum length required thinking they're safe behind the "complexity" of it.
Your best bet then is using a reliable password manager and selecting the maximum password length allowed. Barring that, maybe instead start using passwords like "greencrazytigerbuilding" or some such, and back it up with two factor authentication.
ALSO READ: '123456' & 'Password' Are Worst Passwords Of 2018, Sitting Top Of The List For Past Three Years