~=8 Character Passwords Are Dead=~

New benchmark from the Hashcat Team shows a 2080Ti GPU passing 100 Billion password guesses per second (NTLM hash).

This means that the entire keyspace, or every possible combination of:
- Upper
- Lower
- Number
- Symbol

...of an 8 character password can be guessed in:

~2.5 hours

(8x 2080Ti GPUs against NTLM Windows hash)

#Hacking #Infosec

@kaniini @tinker

NTLM is just a very shitty hash. Any remotely modern and safe password hash would still be way too much for the 8 character space.

Also, a single 💩 emoji is probably a safe password, because nobody tests for that, lol.

@shibayashi @tinker @kaniini yep, would also say the real message is: is dead 😃

@rugk @shibayashi @kaniini - NTLM most certainly is dead (even for 9char passwords). But 8char passwords are dead across a wide variety of hash types, even slow hash types that push out the crack time for the entire keyspace to a couple of weeks. Still within many attacker's time and resource budget.

The current @discourse.org default password policy is 10 chars for user accounts, 15 chars for admins, 200 max. (PBKDF2) A good policy for general adoption imo
@kaniini @shibayashi @rugk
Sign in to participate in the conversation
social.wiuwiu.de - Mastodon

This Mastodon instance is hosted in Germany and powered by 100% clean energy. Mastodon is a free and decentralized alternative to well-established social microblogging platforms like Twitter. Please consider a dontation if you like this instance!