Use an 8-Char Windows NTLM Password? Don’t. Every Single One Can Be Cracked in Under 2.5 Hours

HashCat, an open source password recovery tool, can now crack an eight-character Windows NTLM password hash in less time than it will take to watch Avengers: Endgame.

In 2011 security researcher Steven Myer demonstrated that an eight-character (53-bit) password could be brute forced in 44 days, or in 14 seconds if you use a GPU and rainbow tables – pre-computed tables for reversing hash functions.

When developer Jeff Atwood said as much in 2015, the average password length was about about eight characters and there’s no indication things have changed much. With some 620 million stolen web credentials coming up for sale this week on a dark web market, now’s as good a time as any for a password review.

Read more at TheRegister.

Homeland Security Today

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

See Full Bio