There have been password-cracking tools available to anyone for a long time, and they have often been helpful in assessing the strength of passwords that your users might choose. They can also be helpful in convincing management to require better security in your organization.

While this might not be something you spend a lot of money on, perhaps there are a few others in your organization that might let you borrow an Nvidia RTX 4090. If you get 8 of them in a system, you can probably crack an 8 character Microsoft NTLM password in under an hour. That was what a group found when testing the new GPU.

This likely doesn't mean we change security policies, or that someone can guess our password in an hour. It does mean that the world of computing hardware continues to advance and that can make security challenging. We ought to ensure that our privileged users follow strong practices and protect their systems and their credentials.

I used to periodically run a password cracker against SQL-authenticated logins in our databases to be sure that strong passwords were in use. My boss was alarmed when we found passwords like "password" and "12345", but the effort to get people to change was high. Eventually, he asked me to just stop cracking passwords.

I know passwords aren't perfect, but they ought to be somewhat strong and long. We might not be able to prevent everyone from unauthorized access, but we can stop making it easy with the simplest of common password choices.