It’s time to get rid of passwords of eight characters or less and replace them with much longer passwords, say at least 12 characters.
That’s because any password of eight characters or less that has been “cracked” with Microsoft’s widely used NTLM algorithm can now be revealed in about the time it takes to watch a movie, thanks to advances in encryption technology. hash decryption.
“The minimum password of eight characters, no matter how complex, can be cracked in less than 2.5 hours,” said one hacker.Gypsy” He said Register yesterday (February 14). “The eight-character password is dead.”
MORE: The Best Password Managers
Why your current passwords suck
The new speed record was set by a computer using eight Nvidia RTX 2080 Ti graphics cards, running the latest beta version of the open source password cracking program HashCat, as revealed on Wednesday (February 13) by the official Twitter account of HashCat. The cracking platform cracked 102.8 billion hashes per second.
A hash is what you get when you input a password (or any string of data) into a mathematical formula designed to spit out an indecipherable string of gibberish. Supposedly, that gibberish cannot be reversed to reveal the original password. But that’s exactly what password cracking platforms do, thanks to the massive computing power provided by the latest graphics cards.
Microsoft’s NTLM hash algorithm is certainly an easy target. It’s old and there are better hashing algorithms available today. But like much of Microsoft’s legacy software, NTLM is still widely used because it supports everything.
Similarly, not everyone can afford to buy eight $1200 state-of-the-art graphics cards to build a platform just to crack passwords. But a penetration tester (someone companies pay to break into their own systems) on Twitter named Tom Ervin did the math and found that for $25, you could rent enough number-crunching power from Amazon Elastic Cloud Computing to crack an eight-character NTLM password hash in about 12 minutes.
What you have to do, again
So to save you the boring details: change all your short passwords to longer passwords. If there are eight characters, let them be 12 or 15 characters. If it’s six characters, even just repeating it will give you a lot more security.
You want to use all 94 possible characters available on a basic computer keyboard, not just lowercase or uppercase letters.
Ideally, you want the text string to be completely random, though that also makes each password very difficult to remember. The catch is that anything that looks like a word, even something like “[email protected]” will be easier to crack than random gibberish like “BK809e)67w%iS/h”.
The best option is to use a password manager that generates inconsistent passwords and remembers them for you. All you need to remember is the master password to access the password vault, but of course that master password should be about 20 characters of gibberish in total.
- How to create super strong passwords
- 1.1 billion passwords exposed in a huge data dump
- What to do after a data breach