8-Character Windows NTLM Passwords Can Be Cracked In Under 2.5 Hours

HashCat, an open-source password recovery tool, can now crack an eight-character Windows NTLM password hash in less than 2.5 hours. "Current password cracking benchmarks show that the minimum eight character password, no matter how complex, can be cracked in less than 2.5 hours" using a hardware rig that utilizes eight Nvidia GTX 2080Ti GPUs, explained a hacker who goes by the pseudonym Tinker on Twitter in a DM conversation with The Register. "The eight character password is dead." From the report: It's dead at least in the context of hacking attacks on organizations that rely on Windows and Active Directory. NTLM is an old Microsoft authentication protocol that has since been replaced with Kerberos. According to Tinker, it's still used for storing Windows passwords locally or in the NTDS.dit file in Active Directory Domain Controllers. It's dead at least in the context of hacking attacks on organizations that rely on Windows and Active Directory. NTLM is an old Microsoft authentication protocol that has since been replaced with Kerberos. Tinker estimates that buying the GPU power described would require about $10,000; others have claimed the necessary computer power to crack an eight-character NTLM password hash can be rented in Amazon's cloud for just $25.

NIST's latest guidelines say passwords should be at least eight characters long. Some online service providers don't even demand that much. When security researcher Troy Hunt examined the minimum password lengths at various websites last year, he found that while Google, Microsoft and Yahoo set the bar at eight, Facebook, LinkedIn and Twitter only required six. Tinker said the eight character password was used as a benchmark because it's what many organizations recommend as the minimum password length and many corporate IT policies reflect that guidance. So how long is long enough to sleep soundly until the next technical advance changes everything? Tinker recommends a random five-word passphrase, something along the lines of the four-word example popularized by online comic XKCD, "correcthorsebatterystaple." That or whatever maximum length random password via a password management app, with two-factor authentication enabled in either case.

I'm changing mine

[reboot246]

Instead of 1 2 3 4 5, it will now be 1 2 3 4 5 6 7 8 9 0

Re:I'm changing mine

[EmagGeek]

Won't help though, because your luggage still has to have the government-imposed back door thanks to TSA.

Re:I'm changing mine

Don't forget to update your username to reboot247.

Re:Easy fix...

You're confusing the scenario. This is not about brute forcing a login form.

This is about having the hashed password saved in the domain controller (for example from a DB stolen in other ways) and forcing the password hashes there to get all the passwords in the DB.

People should be moving off NTLM

[athmanb]

Even NTLMv2 is now over 20 years old. It's unsalted, easily parallelizable and you can't adjust the number of hash operations performed. It just can't deal with the modern world. And Microsoft has had tools available for like 5 years now that make it possible to see whether you can disable NTLM, see https://johan.grotherus.com/20... for one writeup. If you have a decently sized environment, this probably won't be easy, but you should start sooner rather than later. As soon as you are able to pull the plug on it, a lot of the easy "pass the hash" attacks become impossible, and those are more dangerous than someone getting to your ntds.dit file in todays age of gratuitous hard disk encryption anyway.

And most people aren't able to create secure passphrases. You need to use completely independant words to actually get a good passphrase, and if someone doesn't understand the information entropy theory behind it, they'll automatically gravitate towards related words. And a passphrase like "housegardengreengrass" has an absolutely abominable complexity of like 20000 * 100 * 100 * 100 or 2^32.

Holy triplicates batman

[Mr_Silver]

Couple of questions:

• Is NTLM for organizations that rely on Windows and Active Directory?
• Isn't NTLM an old Microsoft authentication protocol and wasn't it replaced by Kerberos?
• Are these the Windows passwords stored locally or in the NTDS.dit file?

It wasn't entirely clear from the summary /s

Note to author

[sphealey]

Note to author: It was determined during WWII that repeating plaintext makes it far easier for an opponent to crack the cyphertext. Just sayin'.

Re:Note to author

[swillden]

Note to author: It was determined during WWII that repeating plaintext makes it far easier for an opponent to crack the cyphertext. Just sayin'.

This is wrong.

What you say was true of WWII-era ciphers, but with modern ciphers and constructions any system that is made easier to break by repeating plaintext is considered completely broken and discarded. We don't worry about repeated plaintext any more, we worry about ensuring that the output of the base cipher is indistinguishable from uniform random noise, and that the construction is randomized so that two encryptions of identical plaintext produce unrelated ciphertexts.

Also, your comment is off topic because encryption has nothing to do with password storage. You don't use an encryption cipher to secure passwords, you use a key derivation function, one designed specifically for passwords.

Crypto history is fascinating, and fun, but be careful applying its lessons to modern crypto.

Pro Password Recovery Guy Here

I have a datacenter full of Hashcat rigs - used to be my crypto mine but I re-purposed and now do fee-based password recovery for corporate and law enforcement clients.

Hashcat is pretty fun and has a scripting language of sorts for narrowing the attack space. If you have knowledge of the corporate password rules you're dealing with (which SIGNIFICANTLY reduce the attack space) it's actually not uncommon to discover even a complex password in a couple of days.

The bottom line is that everyone needs to use stronger passwords, and corporations really need to remove the impediments that reduce attack space.

As an example, let's take a simple example where a keyboard has all the capital and lowercase letters, and numbers 0 through 9. There are 52 possible letters and 10 possible numbers - 62 potential characters. An 8 character password has 62^8 or 218,340,105,584,896 possible combinations.

If I impose a rule that says you must have at least one capital letter, that more than halves the attack space because one combination drops from 62 possibilities to 26, and our new attack space is only 91,561,979,761,408.

If I say you have to have one capital letter and one number, that reduces a combination from 62 to 10, and our new space is only 14,768,061,251,840 passwords.

A GTX 1070 will do a Kerberos 5 password at about 145 million per second, so a single rack of 12 of them will do 1,740,000,000 passwords/second.

That means I can crack 8 characters, one capital letter and one number in a MAXIMUM of 8487 seconds, and that's assuming the correct password is the last one I try. That's less than 2.5 hours.

I have 200 of those racks in my farm, so it takes me longer to set up the job that it takes to completely exhaust that address space: 42 seconds.

So please, corporate America, keep right on with your silly password rules. They only make my job easier and more lucrative.

Re:Pro Password Recovery Guy Here

[Junta]

On the other hand, focus on character classes causes people to pick short passwords because they can only remember so much of that crap.

Focus on password length *and* character classes and people just can't do it.

Focusing on password length alone is the way to win, 'password' is a much worse mindset than 'passphrase'.

Re:Pro Password Recovery Guy Here

[Z00L00K]

So the summary is essentially that password rules opens a hole similar to what the Enigma machine had - the encrypted character could never be the same as the original, one of the rules that made it easier to crack instead of harder. There were other flaws as well.

Personally I would have introduced some added complexity to the Enigma in addition to allowing the encrypted character match the clear text character like space character and a few punctuation characters. Also the ability to select a varying number of wheels.

Re:Pro Password Recovery Guy Here

[kukulcan]

Your point might be right, but you need to count better.

As an example, let's take a simple example where a keyboard has all the capital and lowercase letters, and numbers 0 through 9. There are 52 possible letters and 10 possible numbers - 62 potential characters. An 8 character password has 62^8 or 218,340,105,584,896 possible combinations.

Right

If I impose a rule that says you must have at least one capital letter, that more than halves the attack space because one combination drops from 62 possibilities to 26, and our new attack space is only 91,561,979,761,408.

If I say you have to have one capital letter and one number, that reduces a combination from 62 to 10, and our new space is only 14,768,061,251,840 passwords.

No, with those conditions the space isn't 26*10*62^6, which is what you assumed - that's the space if you require that the first letter be uppercase, the second a number and the rest whatever.

With those conditions, you're removing from the original 62^8 space all the passwords that are just lowercase, which are 26^8. So your new password space is 62^8 - 26^8 = 218,131,278,520,320, which is 99,9% of the original space...

Re:Pro Password Recovery Guy Here

[theCoder]

The math for figuring out the exact numbers seems to me to be really difficult. Though maybe not as difficult as tedious in thinking about the various possibilities. It would probably make a nice question on a discrete math final. Well, nice from the professor's point of view at least.

Since I didn't want to compute it analytically, I once wrote a simple program to test it empirically. The program would generate random passwords and then test to see if they met the requirements. IIRC, with the rules in place in my employer, it threw out about 70% of all random passwords. It got worse as the passwords got longer because of rules limiting the number of consecutive characters of the same class. I.e., "foo1bar2baz3" is OK, but "foobarbaz123" was not.

Interestingly, while the password space was significantly reduced, it wasn't even an order of magnitude, let alone the effect of making the password length shorter. I agree with the OP that password rules do eliminate good passwords, especially of the XKCD kind "correct horse battery staple" (too many lower case characters in a row, no upper case, numbers, or symbols). However, if we didn't have the rules, there would be quite a few people whose password would be "password". Or if there was a length requirement, it would be "passwordpassword". So I am of mixed feelings on it. Even if I think eventually only the password "aA1!bB2@cC3#dD4$" will be viable if the security rules get any tighter.

inconsistent

[markdavis]

>"NIST's latest guidelines say passwords should be at least eight characters long. Some online service providers don't even demand that much."

The example given is an old method and assumes the cracker has access to the stored encrypted password. Then the discussion turns to a wide/broad generalization about ALL password lengths, and web sites were the example. This isn't logical. An 8 character password is way strong enough if you don't have access to the stored data and all you can do is try brute force- which is easily defeated by throwing in delays or limits.

It also depends on the method used to store the passwords, even if you have access to the stored data,

hmm

[cascadingstylesheet]

Tinker recommends a random five-word passphrase, something along the lines of the four-word example popularized by online comic XKCD, "correcthorsebatterystaple." That or whatever maximum length random password via a password management app, with two-factor authentication enabled in either case.

Except that every site has a different maximum number of characters, requires different special characters, some of them don't allow your favorite special characters, etc. So there's no way you can consistently use some complex patterns that you could actually possibly remember.

Doesn't work

[magarity]

NIST's latest guidelines say passwords should be at least eight characters long

I tried "at least eight characters long" but it said passwords could not contain spaces.

Re:It's dead at least in the context of hacking

[Spazmania]

NIST's SP 800-63 also says that passwords are supposed to be stored in a format resistant to offline cracking. NTLM never was particularly resistant and, like unix crypt was, should have been retired many years ago.

Different lengths for different needs

[FeelGood314]

If the password isn't protecting anything of value then 1 character will do - for example any site that makes you create an account so you can use it once.
If the attacker is rate limited and is only interested in one account then a 4 digit PIN will do - think bank cards
If the attacker can attack any one of 50,000 employees and is only rate limited per account a pass phrase of 4 words should be used.
If the attacker has the hash of the pass phrase then a pass phrase of 5 words should be used.
If the attacker has the hashes of 50,000+ phrases then a pass phrase of 6 words should be used.

8 random character passwords are useless, they too strong for the rate limited single account, impossible for 50,000 employees to remember and worthless against an attacker with the hash of the password.

You should also fire everyone involved in the 8 character, at least one upper, one lower, one number and one one special character and change your password every 3 months people. After 6 months almost every employee gives up on creating a strong password and uses a common 6 letter English word, capitalizes the first letter, puts in the number 1 and then a '!'. They then increment the number every 3 months.