NTML Passwords Insecure

Use of 8-char NTML Passwords No Longer Secure

Hashcat is the world’s fastest and most advanced password recovery utility. This software on its 6.0.0 beta version can now crack eight-character Windows NTML passwords hash under 2 hours 30 minutes.

A hacker under the pseudonym “Tinker” explained in a Twitter post that:

“New benchmark means that the entire keyspace, or every possible combination for an 8-character password can be guessed in: 2.5 hours using as hardware 8 x Nvidia GTX 2080Ti GPUs against NTLM hashes”.

This will affect organizations that rely on Windows and Active Directory. NTML was an old authentication schema, which was replaced by Kerberos. However, it is still used to store passwords locally or in the NTDS file in the Active Directory.

According to Tinker, the GPU power described would require about $10,000 to buy, however, the same power can be rented on Amazon’s cloud just for $25.

The National Institute of Standards and Technology described on their latest guidelines that the minimum password length should be eight.

In the past years, the security research Troy Hunt analyzed the minimum password length requirements for different websites. On one hand, he discovered that Google, Microsoft and Yahoo were set to eight. On the other hand, Facebook, LinkedIn and Twitter were six.

As a countermeasure Tinker recommend using a random five-word passphrase. For example: “correcthorsebatterystaple” as a password. Another alternative is the use of a maximum length random password via a password management app, with two-factor authentication enabled.

If you’d like to read more about best practices in password management, you can learn more here.