8-Character Windows NTLM Passwords Can Be Cracked In Under 2.5 Hours

HashCat, an open-source password recovery tool, can now crack an eight-character Windows NTLM password hash in less than 2.5 hours. "Current password cracking benchmarks show that the minimum eight character password, no matter how complex, can be cracked in less than 2.5 hours" using a hardware rig that utilizes eight Nvidia GTX 2080Ti GPUs, explained a hacker who goes by the pseudonym Tinker on Twitter in a DM conversation with The Register. "The eight character password is dead." From the report: It's dead at least in the context of hacking attacks on organizations that rely on Windows and Active Directory. NTLM is an old Microsoft authentication protocol that has since been replaced with Kerberos. According to Tinker, it's still used for storing Windows passwords locally or in the NTDS.dit file in Active Directory Domain Controllers. It's dead at least in the context of hacking attacks on organizations that rely on Windows and Active Directory. NTLM is an old Microsoft authentication protocol that has since been replaced with Kerberos. Tinker estimates that buying the GPU power described would require about $10,000; others have claimed the necessary computer power to crack an eight-character NTLM password hash can be rented in Amazon's cloud for just $25.

NIST's latest guidelines say passwords should be at least eight characters long. Some online service providers don't even demand that much. When security researcher Troy Hunt examined the minimum password lengths at various websites last year, he found that while Google, Microsoft and Yahoo set the bar at eight, Facebook, LinkedIn and Twitter only required six. Tinker said the eight character password was used as a benchmark because it's what many organizations recommend as the minimum password length and many corporate IT policies reflect that guidance. So how long is long enough to sleep soundly until the next technical advance changes everything? Tinker recommends a random five-word passphrase, something along the lines of the four-word example popularized by online comic XKCD, "correcthorsebatterystaple." That or whatever maximum length random password via a password management app, with two-factor authentication enabled in either case.

I'm changing mine

[reboot246]

Instead of 1 2 3 4 5, it will now be 1 2 3 4 5 6 7 8 9 0

Re:I'm changing mine

[EmagGeek]

Won't help though, because your luggage still has to have the government-imposed back door thanks to TSA.

Re:I'm changing mine

Don't forget to update your username to reboot247.

Re: I'm changing mine

I changed mine to ctrl-alt-delete.

Re: I'm changing mine

I've already changed mine to correcthorsebatterystaple. Nobody will ever guess that one.

Re:I'm changing mine

[Z00L00K]

TSA has no power here.

Re:I'm changing mine

[bobcat7677]

I already have a 9 character password so I am good. I have said too much. I was never here. *waves hands while backing away*

Re:I'm changing mine

Publicly known backdoor, don't forget:
https://hackaday.com/2015/09/18/dear-tsa-this-is-why-you-shouldnt-post-pictures-of-your-keys-online/

Re: I'm changing mine

Not surprised. Your mom is seven letters and I cracked her years ago.

Re: I'm changing mine

[arglebargle_xiv]

Mine is "ReallyPissedOff50BloodyBoiledCabbagesShovedUpYourArseIfYouDontGiveMeAccessnowâ.

Easy fix...

Just BLOCK the acccount after letâ(TM)s say.. 10 wrong tries???
Even if you auto lock the account for 2 hours between each 10 wrong tries, the 2.5 hours of brute force hacking becomes weeks or years of trying...
And it should take a real sysadmin more than a day or two to see his system is being attacked with such alert in log system

So itâ(TM)s a pretty easy fix to do, Microsoft...

Re:Easy fix...

You're confusing the scenario. This is not about brute forcing a login form.

This is about having the hashed password saved in the domain controller (for example from a DB stolen in other ways) and forcing the password hashes there to get all the passwords in the DB.

Re:Easy fix...

[wierd_w]

It was my understanding that hints about the password (Specifically, a one-way hash) were sent back in an encoded form from the AD server when a client attempts a login, and that this information can be wire sniffed.

Using that info, the password can be derived offline, then a single attempt is used to gain access.

Been a long time since I passively looked up NTLM password cracking though. I probably have some details wrong here.

Re: Easy fix...

[Zero__Kelvin]

I find actively looking things up to be much more. efficient and effective than doing so passively.

Re: Easy fix...

Intel chips sniffed?

Re: Easy fix...

[houghi]

I am not trying to hack the account, I am just blocking all users to use their account let's see what happens if the CEO can't get to his emails.

Re: Easy fix...

[wierd_w]

This is true, but I was looking for information on something only tangentially related to NTLM password handshakes (IIRC, I was looking for information on Kerberos), and was exposed to the notion of sniffing and cracking the hash on the side; It was not what I was looking for. Hence, passively.

And again, a long time ago.

And I agree. Actively looking is a better means of information retrieval. I just was not actively looking for this when I was exposed to it.

Re:Easy fix...

[CSMoran]

Just BLOCK the acccount after letâ(TM)s say.. 10 wrong tries???

Oh, lookie, a DoS hammer!

Re:Easy fix...

[Z00L00K]

The problem that would occur with longer passwords is all the mistypings increasing the IT support load. Of course it's outsourced to India where you have to adapt to a strange accent. Even worse when you don't have English as your first language.

Re: Easy fix...

There are hashes that can be captured over the wire for NTLMv2 auth. They are truckietrickier to crack than a plain NTLM hash, but can still be a worry.

It's dead at least in the context of hacking

It's dead at least in the context of hacking attacks on organizations that rely on Windows and Active Directory. NTLM is an old Microsoft authentication protocol that has since been replaced with Kerberos. According to Tinker, it's still used for storing Windows passwords locally or in the NTDS.dit file in Active Directory Domain Controllers.

It's dead at least in the context of hacking attacks on organizations that rely on Windows and Active Directory. NTLM is an old Microsoft authentication protocol that has since been replaced with Kerberos. According to Tinker, it's still used for storing Windows passwords locally or in the NTDS.dit file in Active Directory Domain Controllers.

It's dead at least in the context of hacking attacks on organizations that rely on Windows and Active Directory. NTLM is an old Microsoft authentication protocol that has since been replaced with Kerberos. According to Tinker, it's still used for storing Windows passwords locally or in the NTDS.dit file in Active Directory Domain Controllers.

Re: It's dead at least in the context of hacking

Somebody read the summary!

Re:It's dead at least in the context of hacking

Woah, I'm seeing triple! 9 paragraphs!

Re:It's dead at least in the context of hacking

[Spazmania]

NIST's SP 800-63 also says that passwords are supposed to be stored in a format resistant to offline cracking. NTLM never was particularly resistant and, like unix crypt was, should have been retired many years ago.

Re:It's dead at least in the context of hacking

[Sneftel]

+1, redundant

Re:It's dead at least in the context of hacking

It was retired may years ago. A decade or more.

People should be moving off NTLM

[athmanb]

Even NTLMv2 is now over 20 years old. It's unsalted, easily parallelizable and you can't adjust the number of hash operations performed. It just can't deal with the modern world. And Microsoft has had tools available for like 5 years now that make it possible to see whether you can disable NTLM, see https://johan.grotherus.com/20... for one writeup. If you have a decently sized environment, this probably won't be easy, but you should start sooner rather than later. As soon as you are able to pull the plug on it, a lot of the easy "pass the hash" attacks become impossible, and those are more dangerous than someone getting to your ntds.dit file in todays age of gratuitous hard disk encryption anyway.

And most people aren't able to create secure passphrases. You need to use completely independant words to actually get a good passphrase, and if someone doesn't understand the information entropy theory behind it, they'll automatically gravitate towards related words. And a passphrase like "housegardengreengrass" has an absolutely abominable complexity of like 20000 * 100 * 100 * 100 or 2^32.

Re: People should be moving off NTLM

Diceware is a method for creating truly random pass phrases using ordinary dice.

Re:People should be moving off NTLM

> And a passphrase like "housegardengreengrass"

Hey! That's my luggage combination!

Re:People should be moving off NTLM

[thegarbz]

and those are more dangerous than someone getting to your ntds.dit file in today's age of gratuitous hard disk encryption anyway.

This I disagree with in a world of prolifant malware happily running on logged in machines where HDD contents are readily accessible.

Re:People should be moving off NTLM

The problem is there's still a lot of embedded hardware that doesn't even work on NTLMv2, or if it does it's a nightmare to configure.
Should you dump the hardware and software that's stuck in 1999? of course, is it easy? no.

Re:People should be moving off NTLM

Bro, where did you get my passphrase from!? Did you hack into my ip address of 192.168.1.23?

Re:People should be moving off NTLM

Well, you have stupid ninnies that have these utterly stupid password rules and require that the password be changed (ever).

This prevents the use of secure passwords.

Three times!

You have to say it three times:

It's dead at least in the context of hacking attacks on organizations that rely on Windows and Active Directory. NTLM is an old Microsoft authentication protocol that has since been replaced with Kerberos. According to Tinker, it's still used for storing Windows passwords locally or in the NTDS.dit file in Active Directory Domain Controllers.

Will my bank change?

Whatever the NIST recommends as the minimum paasword length, my bank sets as the maximum password length.

our nt server 20 years ago went down...

about every 2.5 hrs.. so again, not much has changed? cease fire stand down,, there's plenty of good reasons to keep us all around.. in the moms we trust.. thanks again

Not much of value now

NTLM hashes are disabled by default since Vista.

Reminds me...

[hcs_$reboot]

a few years back, MS Office had a document password protect feature which was cracked instantly by an open source tool.

Holy triplicates batman

[Mr_Silver]

Couple of questions:

• Is NTLM for organizations that rely on Windows and Active Directory?
• Isn't NTLM an old Microsoft authentication protocol and wasn't it replaced by Kerberos?
• Are these the Windows passwords stored locally or in the NTDS.dit file?

It wasn't entirely clear from the summary /s

Re:Holy triplicates batman

1. New Technology Lan Manager Hashes or NTLM encrypted passwords came about during the NT 4.0 days (at least in a recognizable form, it may have been around a little before this), and I believe it is used in almost every Windows OS since then, not just corporate environments that rely on AD. It's not for the enterprise, it'sWindows baked in security suite. Yes, NTLM is a whole security suite. It may be old and deprecated, but it's still present for backwards compatibility. This is why you can plug in your Windows XP machine and share files over SMB to your W10 machine (after a few control panel tweaks).

2. Yes, and not really replaced as much as superseded. Windows will try to use Kerberos for authentication first, then failover to NTLM, in a typical domain setup.

3. I believe the files are stored in a file called the SAM Database in: C:\Windows\System32\config

Re: Holy triplicates batman

Woosh

About Passwords

[whyisit8888]

Maybe worth mentioning: https://sites.google.com/site/...

Consider the following...

Let us say that Hackerman acquires your password hash and exports it off your computer, across a series of tubes, onto his computer. Consider that now he has an unlimited amount of time in which to solve the hash, and access to almost infinite cheap storage for rainbow tables in order to make a time/storage trade-off. This makes it somewhat ridiculous to consider any palpable difference between 8 characters and 16, at least for these weak hashes

With this being said, the problem is passwords are a bad way to do authentication, not that passwords are too short. You can keep making the passwords more complex and encrypted in a more robust fashion with more salt and pepper, but it doesn't help when I'm just going to write it on a sticky note and leave it on my desk. SQRL or something similar is the inevitable future, see: https://www.grc.com/sqrl/sqrl.htm

Re:Consider the following...

If it is on GRC is is bollocks.

Note to author

[sphealey]

Note to author: It was determined during WWII that repeating plaintext makes it far easier for an opponent to crack the cyphertext. Just sayin'.

Re:Note to author

[athmanb]

The invention of Cipher Block Chaining solved that issue btw
https://en.wikipedia.org/wiki/...

Re:Note to author

i think the author works for the department of redundancy department.

Re:Note to author

[swillden]

Note to author: It was determined during WWII that repeating plaintext makes it far easier for an opponent to crack the cyphertext. Just sayin'.

This is wrong.

What you say was true of WWII-era ciphers, but with modern ciphers and constructions any system that is made easier to break by repeating plaintext is considered completely broken and discarded. We don't worry about repeated plaintext any more, we worry about ensuring that the output of the base cipher is indistinguishable from uniform random noise, and that the construction is randomized so that two encryptions of identical plaintext produce unrelated ciphertexts.

Also, your comment is off topic because encryption has nothing to do with password storage. You don't use an encryption cipher to secure passwords, you use a key derivation function, one designed specifically for passwords.

Crypto history is fascinating, and fun, but be careful applying its lessons to modern crypto.

Pro Password Recovery Guy Here

I have a datacenter full of Hashcat rigs - used to be my crypto mine but I re-purposed and now do fee-based password recovery for corporate and law enforcement clients.

Hashcat is pretty fun and has a scripting language of sorts for narrowing the attack space. If you have knowledge of the corporate password rules you're dealing with (which SIGNIFICANTLY reduce the attack space) it's actually not uncommon to discover even a complex password in a couple of days.

The bottom line is that everyone needs to use stronger passwords, and corporations really need to remove the impediments that reduce attack space.

As an example, let's take a simple example where a keyboard has all the capital and lowercase letters, and numbers 0 through 9. There are 52 possible letters and 10 possible numbers - 62 potential characters. An 8 character password has 62^8 or 218,340,105,584,896 possible combinations.

If I impose a rule that says you must have at least one capital letter, that more than halves the attack space because one combination drops from 62 possibilities to 26, and our new attack space is only 91,561,979,761,408.

If I say you have to have one capital letter and one number, that reduces a combination from 62 to 10, and our new space is only 14,768,061,251,840 passwords.

A GTX 1070 will do a Kerberos 5 password at about 145 million per second, so a single rack of 12 of them will do 1,740,000,000 passwords/second.

That means I can crack 8 characters, one capital letter and one number in a MAXIMUM of 8487 seconds, and that's assuming the correct password is the last one I try. That's less than 2.5 hours.

I have 200 of those racks in my farm, so it takes me longer to set up the job that it takes to completely exhaust that address space: 42 seconds.

So please, corporate America, keep right on with your silly password rules. They only make my job easier and more lucrative.

Re:Pro Password Recovery Guy Here

I'm surprised that your conclusion was to improve the password complexity, instead of to just stop using passwords. Working in Corporate IT, especially in Finance, I've found that the very idea of passwords is becoming verboten among the decision makers. Everything in those environments was single sign on with dual factor authentication, with OTP or biometrics.

Re: Pro Password Recovery Guy Here

law-enforcement clients

Cool, so you're a black hat who breaks into accounts for the pigs? You didn't need to write all that boasting just to prove you're a tool.

Re: Pro Password Recovery Guy Here

Well life is about irritating your nemeses and pointing out how great you are

Re:Pro Password Recovery Guy Here

[Alain+Williams]

If you have knowledge of the corporate password rules you're dealing with (which SIGNIFICANTLY reduce the attack space) it's actually not uncommon to discover even a complex password in a couple of days.

The bottom line is that everyone needs to use stronger passwords, and corporations really need to remove the impediments that reduce attack space.

As an example, let's take a simple example where a keyboard has all the capital and lowercase letters, and numbers 0 through 9. There are 52 possible letters and 10 possible numbers - 62 potential characters. An 8 character password has 62^8 or 218,340,105,584,896 possible combinations.

If I impose a rule that says you must have at least one capital letter, that more than halves the attack space because one combination drops from 62 possibilities to 26, and our new attack space is only 91,561,979,761,408.

If I say you have to have one capital letter and one number, that reduces a combination from 62 to 10, and our new space is only 14,768,061,251,840 passwords.

You are missing the point: if corporations did not impose such rules then most people would choose passwords that were entirely lower case; ie 26^8 (208,827,064,576) combinations. Any self respecting cracker would try all lower case before considering other possibilities.

Re:Pro Password Recovery Guy Here

[Junta]

On the other hand, focus on character classes causes people to pick short passwords because they can only remember so much of that crap.

Focus on password length *and* character classes and people just can't do it.

Focusing on password length alone is the way to win, 'password' is a much worse mindset than 'passphrase'.

Re: Pro Password Recovery Guy Here

How many cops have you killed, tough guy?

Re:Pro Password Recovery Guy Here

[Z00L00K]

So the summary is essentially that password rules opens a hole similar to what the Enigma machine had - the encrypted character could never be the same as the original, one of the rules that made it easier to crack instead of harder. There were other flaws as well.

Personally I would have introduced some added complexity to the Enigma in addition to allowing the encrypted character match the clear text character like space character and a few punctuation characters. Also the ability to select a varying number of wheels.

Re:Pro Password Recovery Guy Here

[Z00L00K]

Smart card tech is what I would look at - so you'd have to use your company ID card to log on to the computer. Remove the card and the computer locks the screen.

Re:Pro Password Recovery Guy Here

[kukulcan]

Your point might be right, but you need to count better.

As an example, let's take a simple example where a keyboard has all the capital and lowercase letters, and numbers 0 through 9. There are 52 possible letters and 10 possible numbers - 62 potential characters. An 8 character password has 62^8 or 218,340,105,584,896 possible combinations.

Right

If I impose a rule that says you must have at least one capital letter, that more than halves the attack space because one combination drops from 62 possibilities to 26, and our new attack space is only 91,561,979,761,408.

If I say you have to have one capital letter and one number, that reduces a combination from 62 to 10, and our new space is only 14,768,061,251,840 passwords.

No, with those conditions the space isn't 26*10*62^6, which is what you assumed - that's the space if you require that the first letter be uppercase, the second a number and the rest whatever.

With those conditions, you're removing from the original 62^8 space all the passwords that are just lowercase, which are 26^8. So your new password space is 62^8 - 26^8 = 218,131,278,520,320, which is 99,9% of the original space...

Re:Pro Password Recovery Guy Here

"Personally I would have introduced some added complexity to the Enigma in addition to allowing the encrypted character match the clear text character like space character and a few punctuation characters. Also the ability to select a varying number of wheels."

Right. You would have known better than the leading edge cryptographers of the time and fixed all of their mistakes. Okay...dipshit.

Re:Pro Password Recovery Guy Here

[ceoyoyo]

First thing to do is make sure that your passphrase system accepts spaces. It's a pain in the ass to type "thisismypassphrase" compared to "this is my passphrase".

Re:Pro Password Recovery Guy Here

[Anubis+IV]

if corporations did not impose such rules then most people would choose passwords that were entirely lower case; ie 26^8 (208,827,064,576) combinations. Any self respecting cracker would try all lower case before considering other possibilities.

This was my thinking as well. While OP is quite correct that the volume of the attack space is significantly reduced by the imposition of requirements, the fact is that the vast majority of people are selecting passcodes that minimally meet the requirements rather than being constrained by the requirements. Or, put differently, while requirements reduce the upper bound of the address space, thus reducing the volume of the space, they also raise the lower bound of the space quite significantly, thus increasing the minimum amount of work necessary. Given that the vast majority of passwords live in the lower portions of whatever the address space happens to be (e.g. if passwords can be 8-64 characters, most people will have an 8-character password), pushing the lower boundary up is generally more important.

Besides which, how often does a hacker need to resort to searching the entire space? Again, if work allows up to X characters, most people will have whatever the minimum requires. If work requires that the password not be in the dictionary, most people will use one of a few common symbol swaps (e.g. a > @, s > $, i > !, etc.) to satisfy the requirement, only slightly increasing the complexity for a hacker engaging in a dictionary attack.

Re:Pro Password Recovery Guy Here

[Cid+Highwind]

That would have been an entirely new machine, the limitation that a character can never encrypt to itself is inherent in Enigma's "out and back" path through the rotors and plugboard.

Re:Pro Password Recovery Guy Here

You are missing the point: if corporations did not impose such rules then most people would choose passwords that were entirely lower case; ie 26^8 (208,827,064,576) combinations. Any self respecting cracker would try all lower case before considering other possibilities.

That's why you mandate a "passphrase" with a minimum 20 characters.

Re:Pro Password Recovery Guy Here

but even if you require 4 character classes that only quadruples the number of combinations, each character you add to the length increases the number of combinations by 26 even if using only lower case

requiring a passphrase of all lower case with at least 20 non-space chars (you support spaces but they are stripped out before validating), you get 26^20 combinations (1.9928149e+28 or 19,928,149,000,000,000,000,000,000,000) so you get something far far easier for people to remember and impossible to brute force

and this doesn't even account for all the people that forced to choose some hard to remember password, immediately write it on a post-it and put it on their monitors, making the password effectively nothing to anyone walking by

Re:Pro Password Recovery Guy Here

On the other hand, focus on character classes causes people to pick short passwords because they can only remember so much of that crap.

Focus on password length *and* character classes and people just can't do it.

Your password must have a minimum of 12 letters, one number, a fighter, two clerics, and an arcane caster.

Re:Pro Password Recovery Guy Here

So called Smart Cards have other problems.

Basically, so-called Smart Card authentication has the card "sign" a nonce, and that "signature" is then the authenticator, because in theory the private key is securely held only on the smart card, and the public key is only held in the "authenticator database".

This replaces the process to grant a TGT only. Once the TGT is granted, it has all the same problems as exist with a password authenticator.

And almost all the security issues are with the TGT, not with the authentication.

Re:Pro Password Recovery Guy Here

The Enigma problem is trivially solved - get rid of the reflector. A signal that passes once through the rotors and is not reflected back can encrypt to anything - including the same letter. If you worry that passing once through the rotors instead of twice is "weaker", use twice as many rotors.

Re:Pro Password Recovery Guy Here

[grep+-v+'.*'+*]

Hindsight is always 20/20. We've had at least a month or two of widespread technical improvements since then.

Personally I would have ...

?? Then why didn't you?

Don't get me wrong -- I've also the same things many times over the years. I'm just now getting to the point where seeing that current knowledge and history of the past kinda helps guide you, while at the time there were no indicators or guidelines and they were fumbling around in the darkness.

We really do "stand on the shoulders of giants", and shorter people as well.

Re:Pro Password Recovery Guy Here

Yes, his calculations are completely wrong, but you're not correct either. You can't just remove the lowercase passwords. You also have to remove the passwords containing upper case characters, but not digits, and the ones containing digits but not upper case characters. That makes it 62^8 - 36^8 - 52^8 + 26^8 = 162,268,094,210,560, which is about 74% of the original space (far from the authors claim, which is about 7% of the original space).

See https://math.stackexchange.com/a/2033019 for a bit more thorough explanation.

Re:Pro Password Recovery Guy Here

[theCoder]

The math for figuring out the exact numbers seems to me to be really difficult. Though maybe not as difficult as tedious in thinking about the various possibilities. It would probably make a nice question on a discrete math final. Well, nice from the professor's point of view at least.

Since I didn't want to compute it analytically, I once wrote a simple program to test it empirically. The program would generate random passwords and then test to see if they met the requirements. IIRC, with the rules in place in my employer, it threw out about 70% of all random passwords. It got worse as the passwords got longer because of rules limiting the number of consecutive characters of the same class. I.e., "foo1bar2baz3" is OK, but "foobarbaz123" was not.

Interestingly, while the password space was significantly reduced, it wasn't even an order of magnitude, let alone the effect of making the password length shorter. I agree with the OP that password rules do eliminate good passwords, especially of the XKCD kind "correct horse battery staple" (too many lower case characters in a row, no upper case, numbers, or symbols). However, if we didn't have the rules, there would be quite a few people whose password would be "password". Or if there was a length requirement, it would be "passwordpassword". So I am of mixed feelings on it. Even if I think eventually only the password "aA1!bB2@cC3#dD4$" will be viable if the security rules get any tighter.

Re:Pro Password Recovery Guy Here

No it isn't. Lift up your thumbs.

Correct hourse battery staple.

[jellomizer]

I can still remember this over many years... but let me Google the link... fond it XKCD

Re: Correct hourse battery staple.

[David+Gould]

"the four-word example popularized by online comic XKCD, 'correcthorsebatterystaple'."

In fact, use that exact passphrase. It's the best one.

Password Policy

No worries. Just require all users to change their password every 2 hours, and problem solved!

inconsistent

[markdavis]

>"NIST's latest guidelines say passwords should be at least eight characters long. Some online service providers don't even demand that much."

The example given is an old method and assumes the cracker has access to the stored encrypted password. Then the discussion turns to a wide/broad generalization about ALL password lengths, and web sites were the example. This isn't logical. An 8 character password is way strong enough if you don't have access to the stored data and all you can do is try brute force- which is easily defeated by throwing in delays or limits.

It also depends on the method used to store the passwords, even if you have access to the stored data,

Re:inconsistent

It's two things:
1. Security theatre so the sheep don't realize who the actual wolves are
2. Proof that misinformed fools (read: journalists) are doing a great deal of damage by spreading their stupidity, ignorance, and in some cases outright lies.

In your case, markdavis, I admire the way you cut through the bullshit in so few words.

Re:inconsistent

Given the large amount of security breaches and dumps on the web, I don't think it is so safe to assume they don't have access to the stored passwords.

Re:inconsistent

[hey!]

Is 8 characters enough to control access to a *network* resource? I'd say the answer is a resounding "maybe".

If you start by assuming that that the attacker has no access to the underlying password database and that he never will, and that rules eliminate easily guessed passwords, sure: I'm satisfied. But the assumption that the password database is secure is a big one. An unsalted password databases is a gold mine for an attacker.

If you assume that the password database *might potentially* be accessed remotely through some other exploit, but that it is hashed using a reasonably secure function and is never stored anywhere in unsalted form, and the valid password rules are reasonable, I'd say 8 characters is secure enough for *most* practical purposes.

As for any remaining practical purposes, you simply need something stronger than passwords, because humans aren't going to be any good at memorized ten character strings of pure gobbledygook.

Re:inconsistent

[markdavis]

>"But the assumption that the password database is secure is a big one. An unsalted password databases is a gold mine for an attacker."

Agreed. My biggest issue was their illogical jump from one example to a broad statement that can't be made.

>"As for any remaining practical purposes, you simply need something stronger than passwords, because humans aren't going to be any good at memorized ten character strings of pure gobbledygook."

Unfortunately, there isn't much else- not if one of the criteria is something you "know". You can add a second factor authentication, but that is usually something you have (phone, token, etc). But that alone is often worse security than just something you know. Other options would be something you are (biometrics) which can be very complicated, and somewhere you are (which is pretty good for increasing security). Not an easy problem to solve, since most require a lot of complex stuff, expense, inconvenience, support, and often is privacy violating (like I don't WANT to give my phone number or fingerprints to X).

Re:inconsistent

[hey!]

I think two-factor is definitely the way to go for high security applications. That does not mean that "two factor" is automatically better than a password scheme, it depends on the design and implementation.

Need the hash

[jmccue]

First of all the cracker will need to get the password hashes, if that can be done I think you have more issues than an 8 character password. I cannot comment on how to get windows password hashes (have not be on it in well over a decade), but on a properly locked down and encrypted modern Linux/BSD getting shadow is almost impossible.

At work we are being moved to a minimum 15 character PW which is changed it every 90 days, all I can say is I am real glad I do now work on corporate help desk. 90% of they time the will be getting calls about forgotten passwords. yes people can use sentences but you know as well as I do that is not going to happen for over 80% of the users

Re:Need the hash

[DigiShaman]

90% of they time the will be getting calls about forgotten passwords.

That's what the tier 1 support is for. They answer most of the stupid calls. Usually tier 1 is outsourced in a large corporation. Tier 2 and 3 is where the fun really begins and honestly makes the job far more interesting.

Re:Need the hash

[DigiShaman]

"Gimmie the hassshhhhhh!" - thug in Fifth Element.

Re:Need the hash

with physical access to the ad controller, if it does not have drive encryption i can reset the password in about 30 minutes or so. no need for 6x2080's. the method keeps changing but i've reset 2000,2003,2008 and 2012 domains many times.

Re:Need the hash

First of all the cracker will need to get the password hashes, if that can be done I think you have more issues than an 8 character password

Mmm, that soft, soft center.

Re:Need the hash

[DarkOx]

NTDS.dit dumping aside after you already have escalated permissions on domain control the main method of obtaining windows hashes is to MTIM authentication attempts and collect them off the wire so to speak.

You use tools that provide fake DNS(6), netbios, wpad and some other types of broadcast responses or use other methods like good old fashioned arp spoofing to get windows hosts to authenticate with you. Optionally when signing is disabled or not used you might relay the authentication attempt to a real system of your choosing and execute a replay like attack rather than a password attack or simple hash passing attack.

Often you want to go ahead and crack the hashes you get because that will of course allow you to subsequently authenticate to services that don't speak NTLM or might need you to authenticate a second time. Example you want to connect to RDP and logon to a desktop.

Re:Need the hash

[Z00L00K]

So he could smoke it.

Re:Need the hash

[ceoyoyo]

That's a lot of passwords written on stickies.

Re:Need the hash

If you can get the password hash database, then you do not need it ...

Strange that, isn't it?

stupid article

it makes it sound like you can just crack any password in 2.5 hours. The technique described requires that someone have the ntlm.dit file. truth is if you have the ntlm.dit or a /etc/passwd file, password dictionaries crack many password in 10 seconds. kinda strange that it takes that long with 6x2080's. hashcat on my 660ti still kicks as$. main thing to crack passwords faster is to only look for numbers and symbols in the last 2 places. so many password end in 01 or 1! no point in looking for letters there.

Re:stupid article

[Junta]

Well, /etc/shadow rather than /etc/password.

I suppose the 'novelty' is that a 'single' system can exhaust keyboard-appropriate 8 character sequences in 2.5 hours for NTLMv1 hashes, which is relatively short. However constraining to a single server is an odd limitation to pay any mind to.

hmm

[cascadingstylesheet]

Tinker recommends a random five-word passphrase, something along the lines of the four-word example popularized by online comic XKCD, "correcthorsebatterystaple." That or whatever maximum length random password via a password management app, with two-factor authentication enabled in either case.

Except that every site has a different maximum number of characters, requires different special characters, some of them don't allow your favorite special characters, etc. So there's no way you can consistently use some complex patterns that you could actually possibly remember.

Re:hmm

[nehumanuscrede]

"Except that every site has a different maximum number of characters, requires different special characters, some of them don't allow your favorite special characters, etc. So there's no way you can consistently use some complex patterns that you could actually possibly remember."

^^^ This

I really wish there were an enforced standard that all websites -MUST- adhere to before being allowed on the web at all. Minimum password length and character set requirements. While we're at it, storage of those credentials needs to be standardized as well.

Re:hmm

Please, no "standard". Find a weakness in the standard, and all of the web falls.

There is strength in diversity. The hack that apparently breaks all windows domains, do not break linux, apple or others. Various webservers implement different security, there is no single way to crack them all.

Just to be clear

It's dead at least in the context of hacking attacks on organizations that rely on Windows and Active Directory. NTLM is an old Microsoft authentication protocol that has since been replaced with Kerberos. According to Tinker, it's still used for storing Windows passwords locally or in the NTDS.dit file in Active Directory Domain Controllers.

Re:Just to be clear

It's dead at least in the context of hacking attacks on organizations that rely on Windows and Active Directory. NTLM is an old Microsoft authentication protocol that has since been replaced with Kerberos. According to Tinker, it's still used for storing Windows passwords locally or in the NTDS.dit file in Active Directory Domain Controllers.

Even though they put those statements in the summary twice and I've now read them about 6 times, I still don't know what the hell they are talking about. Just a bunch of Microsoft stuff over and over.

Dupe in the summary

[kkoo]

Jeez, the submissions here are shockingly badly edited, or, I should say, not edited at all. A repeated phrase in the summary, obvious to a 5 year old. BeauHD... hang your head in shame.

Re:Dupe in the summary

[drinkypoo]

You Must Be New Here. This is how it has literally always been. Slashdot has never had editing worth beans. New boss, same as the old boss, and the boss before that.

Passwords are dead

[DalM]

Passwords are terrible security. Period. They should never have been widely implemented. All websites, 100% of websites, and all other systems that require passwords should be moved to physical keys.

Re:Passwords are dead

[acoustix]

Shouldn't access be granted based on something you have AND something you know?

Re:Passwords are dead

[DalM]

Sure, I'm all for two part ID. But the vast majority of sites still don't require that, and most have no option for it at all.

My point was about passwords alone.

Doesn't work

[magarity]

NIST's latest guidelines say passwords should be at least eight characters long

I tried "at least eight characters long" but it said passwords could not contain spaces.

Re:Doesn't work

Newest NIST guidelines state passwords should be 20 characters, and are not required to be changed periodically anymore. Those are the new standards and they have started to be adopted.

hunter2

I now understand why I've been hacked!

hateful 8

[racerex]

"The eight character password is dead."... yes, because the average hacker has a $10,000 rig just to hack individual Windows passwords. That's a silly statement at this point in time. Beyond all that, being an admin and developer at my company I can tell you that the vast majority of people use more than the minimum amount of characters anyway. At any rate, raw password hacking accounts for about 1% of compromises these days... we really need to focus more effort in other areas as well as education of end-users in a manner that they will pay attention to.

Re:hateful 8

[jbmartin6]

It's a lot cheaper to use rainbow tables which cracks in 14 seconds, as this article even states. While the technical aspects of how they did the cracking might be interesting, the security impact of this announcement is zero.

8 character NTLM rainbow tables are not new

I would assume a rainbow table would be faster than bruteforceing

passwords

Length is bullshit if you have a low entropy password.

"onceuponatime" will shatter like glass at 13 characters.
"onceuponatime!" will break.
"OnceUponATime!" will break.
"0nc3up0nat1m3" will break.
"emitanopuecno" will break.

If a human is using certain methods to approach their passwords, those methods can be approximated. A single, low entropy mod. Unless you're eager to believe you're the only human who ever thought of writing a password backwards, or swapping leet characters. Then, sure, the tables won't attack towards your never-seen idea. Which is useless to the community at large, as an advisory.

The maximum entropy : easiest recall ratio is abbreviations. ouatiwadasn for the literaturefags, I guess. These should remain resilient until the kits have an overarching knowledge of human dialogue through the ages, are somehow aware of the cultural incident rate of "Charles Dickens", of texts associated with him, of the most prominent strings, leading to attacks on iwtbotiwtwot (and tree of derivatives). I say "somehow aware" but it WILL happen eventually, probably when blackhats get ahold of some nice Google-developed AI loot on all human writings, meant as Skynet-feed.

This will only affect historic abbreviations so grab some novel saying or pop song lyrics and you're set.

password123 has 11 characters

[maxbuzz]

so I'm good

Different lengths for different needs

[FeelGood314]

If the password isn't protecting anything of value then 1 character will do - for example any site that makes you create an account so you can use it once.
If the attacker is rate limited and is only interested in one account then a 4 digit PIN will do - think bank cards
If the attacker can attack any one of 50,000 employees and is only rate limited per account a pass phrase of 4 words should be used.
If the attacker has the hash of the pass phrase then a pass phrase of 5 words should be used.
If the attacker has the hashes of 50,000+ phrases then a pass phrase of 6 words should be used.

8 random character passwords are useless, they too strong for the rate limited single account, impossible for 50,000 employees to remember and worthless against an attacker with the hash of the password.

You should also fire everyone involved in the 8 character, at least one upper, one lower, one number and one one special character and change your password every 3 months people. After 6 months almost every employee gives up on creating a strong password and uses a common 6 letter English word, capitalizes the first letter, puts in the number 1 and then a '!'. They then increment the number every 3 months.

Re:Different lengths for different needs

Ha. I increment the '!' first. Wait a minute ...

What else is new?

[WaffleMonster]

NTLM, NTLMv2 and yes Kerberos are all HOPELESSLY insecure CHAP based authentication protocols subject to offline brute force campaigns simply by way of an adversary eavesdropping on authentication process. No server hacking required.

Microsoft STILL insists upon using this crap in its current software when secure alternatives are readily available.

The only way authentication works in practice today is by protecting authentication exchanges using PKI... similar in concept to all of the web login forms on present day websites. (phishers paradise)

As for stored credentials... Salting and amplification make password guessing harder.. (persistence of NTOWF is unnecessarily sad) but not in any meaningful way that would do much to limit effective impact in the event of hash table compromise. With hashes for any number of accounts compromised an attacker with access to salted amplified hashes using present day resources is still assured meaningful victory no matter what.

As policy you are way better off treating hashes as plaintext password lists and acting accordingly because effectively that's exactly what they are.

Re:What else is new?

Your genitals are extremely underwhelming.

No

This is wrong. This is a technology driven directive, placing ever greater burdens of responsibility on users in order to make up for technical weaknesses and limitations.

Hey, I've played the game too. "Passwords should be stronger", with all the complexity requirements we add. Ask yourself this though: Where are we headed with complexity and length requirements?

Some day we are going to have access to processors with millions of cores. Some day we are going to have quantum computers. Some day we are going to have DSPs, specialized co-processors in abundance, PLDs, memristors, FPGAs, and more. What does this imply?

We cannot simply keep dumping additional requirements upon the users. If we do, we wind up with passwords that are the equivalent of War And Peace length novels. Already we have issues with password pushback. This has to stop.

Multi-factor authentication is one possible route. Biometrics, ideally as part of an MFA solution, can be an answer. But passwords are already at or near the maximum ask we can make on our users.

So no, I really DGAF what your "killer rig" has, or what your "amazing software" can do. That's not the issue and you are both naïve and short-sighted to think that it is.

Cost of wrong guesses ?

[redelm]

Brute-force attacks like these can only work when attackers can access the passwd hashes so their guessing cost comes down to a few machine cycles. This is why /etc/shadow was developed and eventually will become encrypted itself.

When an attacher has to go to the local OS, let alone a remote net, the cost per guess goes up by many (4-10) orders of magnitude. Decent security watchdogs will throttle guessing even further.

I wouldn't be so sure

[bspus]

ANY 8 char password? Does that include special chars like ©?
If we include those, the number of possibilities increases immensely, to the point that I certainly wouldn't worry if I had such a password.
Most people, even on this thread seem to exclude even the common, easily accessible symbols from their strategy.

"Please try another password"

[dremon]

"The password you have entered is already in use by user corp-admin@internal.wscorp.com. Please choose another password".

password is strong as weakest link

An 8-character password can fit in a 64-bit register.

Proof: 8 x 8-bit = 64-bit

Just upgrade your FFL

[dimmthewitted]

Guys, just upgrade your Active Directory forest functional levels.
As long as the oldest controller is new than 2012, not a problem.

old school passwords

My memory isn't what it used to be but I believe I read something from MS back in the 90's (when I received my MCSE on NT) that the algo used was different when using a 9+ character password. But most people on this thread realize that complexity isn't the secret. It's the length that matters. All of my pwds are maximum length sometimes 25 characters. That will take a very long time to crack. Its not impossible, but the value of the data will be diminished by the time you break it...or I'll have changed it by then anyways.

beyond Shannon: systemic industrial infosec

[epine]

You need to use completely independant words to actually get a good passphrase, and if someone doesn't understand the information entropy theory behind it ...

It's not just the information, it's also the systems theory behind the information theory.

The underlying problem is that so many passwords in the wild get cracked back to plain text. Any paradigm you come up with is vulnerable to machine learning, which can ultimately identify and extract almost any pattern.

The pattern you describe is this: pick a word somewhat randomly (but not one too long or too hard to type), then use that as a seed word to free associate. Your entropy estimate is good and to my eye occupies the Fermi-estimation sweet spot (which is rather large, in a good way).

But the entropy you report is the conditional entropy on having already decided on the password paradigm (in some cases, this isn't even a guess, if you can associate previously cracked passwords to the same user, or specific password policies to the institution).

With enough randomly chosen paradigms to pick among, you could add maybe another 10 bits of true entropy. But people being people, paradigms are about as randomly chosen as social media networks.

Plus, because of all the cracked passwords, we have strong statistical models about paradigm evolution (these are cultural artifacts, for the most part)—at least for the masses who associate themselves with 2nd-rate IT (my own strong password paradigm is only used on sites highly likely to number among the scrypt enlightened).

Not that I'm including simple plug-board scrambling stages in my paradigm model (such as reflecting keystrokes between the left and right hands, moving home position one keyboard position to the right, or one row up).

A lot depends on the yield model of the attacker. If the goal is to crack as many passwords as possible, then you start with the worst of the worst and increment upwards. You would probably never even rise to plug-board stages.

If you have a value model over the accounts, when some accounts are judged to be a thousand or a million times more valuable once cracked, then the high value targets had better not be depending on their password paradigm adding any true security (unless so invented out of whole cloth, you're reluctant to update your password in less than a decade).

I tend to use apg to seed my passwords. I click generate five or ten times until something grabs my eye, and then I tweak it slightly to make it easier to store in short-term memory as I transcribe it from my password keeper to the passbox by hand. My "throw away" passwords are 11 characters, and more important passwords are usually more like 16. I generally estimate my passwords to have at least 50 true bits of entropy, assuming a very efficient search through password paradigm probability space (possibly by an adversary who has already cracked one of my other passwords into plain text). If the password contains spans of alphabetic dictionary fragments, I rarely estimate the fragment as supplying more than about 13 bits regardless of the letter count (or how close it remains to the original apg output).

Fully directed attacks based on a comprehensive model of human entropy management is an awesome superpower.

I'm sure the NSA has been doing this for decades already: nearly every plaintext password they've ever recovered (more than few) has been melded into some giant statistical model. They've likely identified millions of cognitive paradigms by now (from the ones with billions of breaks, down to some with only ten or so exemplars). There's no doubt in my mind they have explored the use of machine learning to squeeze even more out of this heap (though I suspect it was pretty squeezed out, even before machine learning). I also suspect that as this model is refined, they deliberated re-target recalcitrant breaks from ages past, so as to feed these breaks back in

hunter2

[UnixUnix]

Damn. So THAT'S how he got me.

That's why all my passwords

are in ancient Aramaic -- break that Hashcat!

in my absence

work out your own salvation in fear and trembling

bullshit

There is strength in diversity.

Talmudic jibberish. Password entropy is purely about math. The more mathematical possibilities, the better.