It's Time to Kill Your Eight-Character Password

Senior editor, security and privacy

It's time to throw away any passwords of eight characters or less and replace them with much longer passwords -- let's say at least 12 characters.


That's because any password of eight characters or less that's been "hashed" using Microsoft's widely used NTLM algorithm can now be revealed in about the time it takes to watch a movie, thanks to advances in hash-cracking technology.

"The minimum eight-character password, no matter how complex, can be cracked in less than 2.5 hours," a hacker called "Tinker" told The Register yesterday (Feb. 14). "The eight-character password is dead."

MORE: Best Password Managers

Why your current passwords suck

The new speed record was set by a computer using eight Nvidia RTX 2080 Ti graphics cards, running the latest beta version of the open-source HashCat password-cracking program, as disclosed Wednesday (Feb. 13) by the official HashCat Twitter account. The cracking rig cracked 102.8 billion hashes every second.

A hash is what you get when you feed a password (or any data string) into a mathematical formula designed to spit out an indecipherable string of gibberish. Supposedly, that gibberish can't be reversed to reveal the original password. But that's exactly what password-cracking rigs do, thanks to the massive computing power provided by the latest graphics cards.

A Sagitta Brutalis password-cracking rig (not the one in this story). Credit: Sagitta HPCA Sagitta Brutalis password-cracking rig (not the one in this story). Credit: Sagitta HPC

Microsoft's NTLM hashing algorithm is admittedly a soft target. It's old, and better hashing algorithms are available today. But like a lot of Microsoft legacy software, NTLM is still widely used because it's compatible with everything.

Likewise, not everyone can afford to buy eight $1,200 state-of-the-art graphics cards to build a rig just to crack passwords. But a penetration tester (someone who's paid by companies to break into their own systems) on Twitter named Tom Ervin did the math and figured out that for $25, you could rent enough Amazon Elastic Cloud Computing number-crunching power to crack an eight-character NTLM password hash in about 12 minutes.

What you have to do, again

So to spare you the boring details: Change all your short passwords to longer passwords. If it's eight characters, make it 12 or 15 characters. If it's six characters, even just repeating it will give you a lot more security.

You want to use all 94 possible characters available on a basic computer keyboard, not just lower-case or upper-case letters.

Ideally, you want to make the text string completely random, although that also makes each password very difficult to remember. The pitfall is that anything that resembles a word -- even something like "tH1515n0T@w0rD" -- is going to be easier to crack than random gibberish like "BK809e)67w%iS/h".

The best option is to use a password manager that will both generate gibberish passwords and remember them for you. All you need to remember is the master password to access the password vault -- but of course, that master password should be about 20 characters of total gibberish.