Skip to main content

It's Time to Kill Your Eight-Character Password

It's time to throw away any passwords of eight characters or less and replace them with much longer passwords -- let's say at least 12 characters.


(Image credit:

That's because any password of eight characters or less that's been "hashed" using Microsoft's widely used NTLM algorithm can now be revealed in about the time it takes to watch a movie, thanks to advances in hash-cracking technology.

"The minimum eight-character password, no matter how complex, can be cracked in less than 2.5 hours," a hacker called "Tinker" told The Register yesterday (Feb. 14). "The eight-character password is dead."

MORE: Best Password Managers

Why your current passwords suck

The new speed record was set by a computer using eight Nvidia RTX 2080 Ti graphics cards, running the latest beta version of the open-source HashCat password-cracking program, as disclosed Wednesday (Feb. 13) by the official HashCat Twitter account. The cracking rig cracked 102.8 billion hashes every second.

A hash is what you get when you feed a password (or any data string) into a mathematical formula designed to spit out an indecipherable string of gibberish. Supposedly, that gibberish can't be reversed to reveal the original password. But that's exactly what password-cracking rigs do, thanks to the massive computing power provided by the latest graphics cards.

A Sagitta Brutalis password-cracking rig (not the one in this story). Credit: Sagitta HPC

(Image credit: A Sagitta Brutalis password-cracking rig (not the one in this story). Credit: Sagitta HPC)

Microsoft's NTLM hashing algorithm is admittedly a soft target. It's old, and better hashing algorithms are available today. But like a lot of Microsoft legacy software, NTLM is still widely used because it's compatible with everything.

Likewise, not everyone can afford to buy eight $1,200 state-of-the-art graphics cards to build a rig just to crack passwords. But a penetration tester (someone who's paid by companies to break into their own systems) on Twitter named Tom Ervin did the math and figured out that for $25, you could rent enough Amazon Elastic Cloud Computing number-crunching power to crack an eight-character NTLM password hash in about 12 minutes.

What you have to do, again

So to spare you the boring details: Change all your short passwords to longer passwords. If it's eight characters, make it 12 or 15 characters. If it's six characters, even just repeating it will give you a lot more security.

You want to use all 94 possible characters available on a basic computer keyboard, not just lower-case or upper-case letters.

Ideally, you want to make the text string completely random, although that also makes each password very difficult to remember. The pitfall is that anything that resembles a word -- even something like "tH1515n0T@w0rD" -- is going to be easier to crack than random gibberish like "BK809e)67w%iS/h".

The best option is to use a password manager that will both generate gibberish passwords and remember them for you. All you need to remember is the master password to access the password vault -- but of course, that master password should be about 20 characters of total gibberish.

Paul Wagenseil
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. That's all he's going to tell you unless you meet him in person.