Does it matter what encryption was used for the passwords? I'm really lacking on the subject. Impressive results nonetheless.

Also besides using a longer password, is there anything else that can be done to harden my passwords?

The tweet was about NTLM, so presumably MD4, but other common hash algorithms are likely only going to add a few hours to the result at this point. This wasn't some crazy amount of hardware either. A more modest single GPU setup could still crack the password in less than a day.

> other common hash algorithms are likely only going to add a few hours

Hash algorithms or password hash algorithms? Because if the former I'd completely disagree, it would be closer to hundreds of years with a modern algorithm like Argon or even old stalwarts like Bcrypt with higher cost parameters.

The twitter statement is ridiculous, password length isn't the problem here, it's poorly secured credentials, was under the impression that NTLM was deprecated anyway?

Edit: Going off this benchmark[0] of 19000 H/s for a single 2080 crunching bcrypt. The keyspace for alphanumeric(62) + password symbols(23) with 8 characters = 85^8 = 2.72 x 10^15

@19000 H/s it will take 143416065810 seconds to go through every permutation. So around 4547 years worst case scenario. Add 7 more GPU's like in the OP's rig and that's 568 years.

The birthday problem doesn't apply here to finding a _specific password_ so on average looking at 284 years with 8x 2080 GPU's.

All modern algo's from the last Password Hashing Competition were designed to be memory hard (or at least offer it as a parameter) to resist GPU attacks and would be pushing these numbers up a magnitude or two.

8 character passwords aren't dead.

[0] https://gist.github.com/Chick3nman/d03c0d696699af2886c340425...

Back in the real world you don’t get to choose any of these fancy hashes when implementing an Active Directory.

I prefer using phrases for a couple years now whenever possible. Makes remembering easier. Spice it up by inserting a symbol somewhere or capitalizing every nth word.

How long are your passphrases preferably? I've encountered issues with many websites limiting to less than 32 characters not being long enough for my passphrases.

This is partly due to the complexity of calculating hashes being multiplicative with the password length, so they limit password length to prevent dos.

Mine are between 20 and 30, but I've still experienced that. Those offending ones usually limit to much less, like 16.

2FA

Isn't so secure either. Kids were getting on the AOL LAN in the 90s by creatively working around 2FA.

Just use that GPU power to generate rainbowtables once which then can use the space/time tradeoff to perpetually find passwords in seconds without a GPU. Bruteforcing one hash at a time is pointlessly wasteful if you have the storage.

Except under standard industry practices each hashed password has a unique salt.

How much storage would hashing every combo with every salt take? Is it still possible?

A rainbow table for 8 chars would be 50-100 TB. If you add a 8-byte salt to each password multiply that number with 256^8