Normally, when we register on a website, a new platform or a new service, the company behind this system recommends us to use a series of rules to create a secure password. In most cases, these rules include the use of special characters, the use of uppercase and lowercase letters, numbers and other elements, but what counts is length. And the passwords usually have a length greater than or equal to eight characters.
~=8 Character Passwords Are Dead=~
New benchmark means that the entire keyspace, or every possible combination of:
…of an 8 character password can be guessed in:
(8x 2080 GPUs against NTLM Windows hash)https://t.co/yAwpKjr7d6
— Tinker ❎ (@TinkerSec) February 14, 2019
Until now, it was believed that the use of eight characters allowed passwords to be sufficiently secure. However, those responsible for the well-known HashCat tool (open source password recovery tool) indicated that these eight-character passwords can be cracked in just over two hours. The tests to get these passwords burst were made with the latest version HashCat 6.0.0 Beta, and the use of the power of eight RTX 2080Ti GPUs. The passwords tested by the HashCat team were hasheadas with the Windows NTLM system, a very veteran configuration in the sector.
This configuration, with a price that would be around $ 10,000 would allow any hacker to access any eight-character password in about two and a half hours, at a rate of 100 gigahashes per second. However, while these $ 10,000 put a strong economic barrier in between, you can also use cloud computing systems like Amazon Web Services for a price of $ 25.