Security Corner

Jan 30 2013   12:39AM GMT

All your secret are belong to us

Ken Harthun Ken Harthun Profile: Ken Harthun

The eight-character password is dead. All possible combinations of 8 character Windows passwords can now be broken in six hours using some sophisticated, but readily available hardware. A paper from the Oslo password hacking conference gives details of how researcher Jeremi Gosney lashed together 25 AMD Radeon Graphics Processing Units (GPUs) into a specialized computing cluster and used it against NTLM password hashes. You’ll need twenty rack units of space in a server room and an industrial-style power supply delivering 7kW. It’ll cost you about $20,000 to build.

As you probably already know, “NTLM relies on one of the easiest-to-crack hashing systems still in widespread use: a straight, unsalted, uniterated MD4 hash of your password,” according to this Sophos Naked Security post.

Not that any savvy administrator permits NTLM hashes anymore, but 8 characters is simply not enough password length for these times. My shortest password used for critical systems is 10 characters and I’m going to be increasing that to at least 14 in short order.

I recommend you do the same.

1  Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • BigKat
    I use a password manager and so all of mine are 16-char, uppercase, lowercase, numbers, and symbols or as close to that as a site allows
    9,410 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: