I assume when they say NTLM they mean NTLMv2... they've got to, right? The latter was introduced in NT4.0 SP4... I wonder if it's set as the minimum allowable authentication scheme yet; I remember forcing it to be on at least Win2k.
It's pretty niche though, wanting to crack NTLM passwords? I would have thought the big money is in cracking whatever password hash format is the most commonly used on e-commerce sites these days? I guess cracking NTLM passwords is still handy if the attacker has found a way in to a corporate network and are at the point of trying to access the main company file shares. Chances are though that if an attacker has reached that stage, they've already gained the credentials of at least one employee, and finding an employee with a decent level of access who is dumb enough to fall for phishing tactics probably isn't too hard
The case here is they have already hacked the site and got the users encripted pw's out, so they have a list of x thousand encripted passwords. If they can decript some of those pw's then they can logon to the site as that user, get their credit card details, send emails in their name, etc.
So you have your file of pw's using some encription method (only makes a minor difference which one), and your box full of 4090's. With the 4090's you can try every variant of up to 8 character pw in 1 hour or so - i.e. the 4090's take an unencripted random 8 chars, encript it, test it against the list of encripted pw's it has, tick off any that match, switch the chars, and repeat until every combination has been tested. Hence any 8 characters or less pw will get broken, no matter what it is or what encription scheme is used or how clever the pw owner thinks they were with the choice of characters.
Obviously that's brute forcing - they will also run against a dictionary of words (which is not just the oxford english dictionary, it'll be words that have been repeatedly found in previously broken pw files) and have a set of rules. The rules are all the ones that users do like add a ! or some numbers to the end or replace e with 3, or whatever. Again these rules are generated by looking at what people have done in other cracked pw files. So before/after your 8 char crack they can run a rule based check and probably get most much longer pw's.
Hence the safest pw would be a very long completely random one, but really the only way we as humans can manage that is with a password program that generates and stores them for you - e.g lastpass. Only the problem there is what happens if your pw generator and storage program gets hacked - and yes lastpass was hacked last year.
www.techrepublic.com
Facebook
Twitter