Are you using an 8 character NTLM password? Its high time you changed it. HashCat, an open source password recovery tool can now crack your password within less than 2.5 hours, that is definitely less than the time taken to watch a movie!
Security researcher Steven Myer has found that an eight-character password could be brute forced in 44 days or in 14 seconds if one uses GPU and rainbow tables. In 2015 Developer Jeff Atwood has said that the average password length has been around eight characters and has not changed much. With the increasing rate of stolen credentials coming up for sale on dark web markets, its high time we thought about our password strengths.
Eight character passwords are dead, at least in the context of hacking attacks on organizations that depend on Windows and Active Directory. NTLM is an old Microsoft authentication protocol and has been replaced with Kerberos since then.
Most of the organizations recommended a minimum length of eight characters for passwords and many corporate IT policies reflect the same. Minimum password lengths for various websites like Google, Microsoft and Yahoo were set to a mark of eight whereas social media websites like Facebook, Twitter and LinkdIn only require six.
Ultimately how long should safe enough is still something to ponder upon. Tinker recommends a random 4 or 5 word passphrases to be set as your password even though it would be a huge toll on your memory.
