8-character Windows password turned out to be able to break through in just 2.5 hours

by Brian Klug

Hacker Tinker, who conducts research on security, combined the NVIDIA latest GPU GeForce RTX 2080 Ti with the open source password cracking tool " hashcat ", so that an 8-character Windows password is only 2.5 hours It reports that it can break through.

Use an 8-char Windows NTLM password? Do not. Every single one can be cracked in under 2.5hrs • The Register
https://www.theregister.co.uk/2019/02/14/password_length/

In 2011, security researcher Steven Myer issued a warning that "8-character passwords will be broken in 44 days with brute force attack ". But, then in four years in 2015 after the software developer Jeff Atwood Mr. and "the length of the average password is eight characters," said , a lot of people have made an effort to change the length of the password Not appearance.

In February 2019, it is also known that about 600 million account information stolen from 16 sites is sold on the dark web.

Account information of 600 million people stolen from all 16 sites will be on sale on the dark web - GIGAZINE

Meanwhile, hacker Tinker checked the speed of decrypting the hashed password by using hashcat version 6.0.0 beta and GeForce RTX 2080 Ti. Tinker says, "With the current password cracking benchmark, we can break through within two and a half hours no matter how complicated an 8-character password is," he says, making an 8-character password almost pointless.

Tinker's brute force attack is effective for organizations that use NTLM authentication and Windows and Active Directory . NTLM authentication is an old Windows authentication protocol and is now a new authentication method called Kerberos , but according to Tinker, when Windows passwords are stored in local or Active Directory domain controller databases NTLM Authentication is continuing to be used.

by Startup Stock Photos

The National Institute of Standards and Technology has said "It is desirable to have at least 8 letters at a minimum" about the length of the password. But in a survey conducted by security researcher Troy Hunt in 2018, Google, Microsoft etc. require at least 8 characters when setting passwords, whereas Facebook, LinkedIn, Twitter etc. require at least 6 characters in password He seems to have asked only the length of.

Tinker says, "People are asked to set complex strings of mixed uppercase letters, lowercase letters, numbers and symbols, etc. when making passwords, but this makes people hard to remember their passwords It is pointed out. This request states that many users tend to make 8-character passwords, which is the minimum number of characters required when setting passwords.

Regarding the theory that "Passwords should be mixed with uppercase letters, lowercase letters, numbers, etc.", the password expert acknowledges that "even if complicating the character string did not make any sense".

Password experts acknowledge that the past argument was wrong as "capital letters, numbers and signs were meaningless" - GIGAZINE

So, Tinker says "when you set a password you'd better combine five words randomly." For example, it is said that a password that properly combines five words "phonecoffeesilverrisebaseball" is more secure than an 8-character complex password "Lm 7 x R 0 w". It also states that enabling 2-step verification is also important for strengthening security.

by stevepb