Cracking 14 Character Complex Passwords in 5 Seconds

There has been a lot of talk recently in the security community about high speed GPU (video card) processors being able to crack passwords very quickly.

But there is a technology that can crack them even faster. A Swiss security company called Objectif Sécurité has created a cracking technology that uses rainbow tables on SSD drives.

Apparently it is the hard drive access time and not the processor speed that slows down cracking speed. So using SSD drives can make cracking faster, but just how fast?

One article in March of this year stated that the technique using SSD drives could crack passwords at a rate of 300 billion passwords a second, and could decode complex password in under 5.3 seconds. So, how long would a long complex password hold up to the SSD based cracking technology?

Sounds like we need to put this to the test. Most hackers will crack passwords by decoding the password hash dumps from a compromised computer. So,  I pulled several 14 character complex passwords hashes from a compromised Windows XP SP3 test machine, to see how they would stand up to Objectif’s free online XP hash cracker. The results were stunning.

Let’s start out with an easy one. Here is the Administrator password hash from the machine:


And putting this into Objectif’s tool we get this response:

Password: Empty password…
Time: 2 seconds

Administrator didn’t set a password, that’s not good…

Okay, that wasn’t 14 characters, let’s try a hard one.

How about this one:

Hash: 17817c9fbf9d272af44dfa1cb95cae33:6bcec2ba2597f089189735afeaa300d4

And the response:

Password: 72@Fee4S@mura!
Time: 5 Seconds

Wow! that took only 5 seconds and that is a decent password.

Let’s try a few more:

Hash: ac93c8016d14e75a2e9b76bb9e8c2bb6:8516cd0838d1a4dfd1ac3e8eb9811350
Password: (689!!!<>”QTHp
Time: 8 Seconds

Hash: d4b3b6605abec1a16a794128df6bc4da:14981697efb5db5267236c5fdbd74af6
Password: *mZ?9%^jS743:!
Time: 5 Seconds (Try typing that in every day!)

And Finally:

Hash: 747747dc6e245f78d18aebeb7cabe1d6:43c6cc2170b7a4ef851a622ff15c6055
Password: T&p/E$v-O6,1@}
Time: Okay, this one really pushed it to the limits, it took a whole 11 seconds to crack!
(* Ran it through a second time later on and it got it in 3 seconds!)

Very impressive, it took only five to eleven seconds in this test to crack 14 character complex passwords. I was able to create a password that Objectif’s site couldn’t decode; it was using characters from the extended ASII set. But, unfortunately, I could not log into the XP system using it either.  🙂

Want to see how a password would do without having to exploit a system and dump the password hashes? Objectif allows you to put a password in and it will convert it for you. Then you can place the hash into the cracker and see how it does.

Granted, these are Windows LM Hashes and not the more secure Windows 7/ Server 2008 NTLM based hashes. But, I believe that with cracking speeds increasing, relying on passwords alone may no longer be a good security measure. Many companies and government facilities are moving away from using just passwords to dual authentication methods. Biometrics and smartcards are really becoming popular in secure facilities.

And if the rumors are true, it looks like Microsoft may include facial recognition authentication in the next version of Windows. Time to dust off the old Web Cam…


Curious how long Windows 7 NTLM can hold up to password hash attacks? Check out “NTLM Passwords: Can’t Crack it? Just Pass it!

or prefer just Pulling Passwords in Plain Text instead of having to crack them? Check out Mimikatz.

42 thoughts on “Cracking 14 Character Complex Passwords in 5 Seconds”

    1. The free online scanner only handles LM hashes. But, Objectif Sécurité is the creator of Ophcrack, which does work against NTLM hashes.

      If anyone has a SSD drive and runs Ophcrack on it against NTLM hashes, I would love to know the outcome.

      According to the article on “The Register” Objectif was running the online XP cracker on a Athlon 64 X2 4400+ with an SSD drive. I would love to see what a newer rig would do.

  1. You realize that LM hashes are 7 characters max right? So your 14 character password is really just two 7 character passwords. That’s why it’s so fast. The title of your article is horrifically misleading.

    1. I put a 14 character complex password in Windows XP, do a hash dump, put it into Objectif’s online cacker and get the password as typed, in about 5 seconds.

      I guess I don’t see what part of that is misleading from the title?

      1. What is misleading is that it is not a true 14 character password. It is two 7 character passwords which are hashed separately. Yes it may not seem different but if there is a 96 character set (upper + lower case letters + numbers + common symbols) – 7 characters is around 75 trillion possible combinations. 2 * 75 is around 150 trillion possible combination, but a 14 character password with 96 characters is around 5 octillion combinations. 75 trillion * 2 or 75 trillion ^ 2. See the difference? This would not be as fast with a real 14 character password. NTLM has been broken for a long time.

      2. Thank you for the input. True, NTLM hashes are stored in two seperate 7 character lots. But users feel safer when they are told endlessly to use longer, complex passwords.

        What this post shows is that from a common, every day Windows XP machine (that has LM hashing enabled by default), it doesn’t matter if you enter a 4 character password, 7 character or 14. Or how complex it is. Technology exists that can crack it in about 5 seconds.

        The speed of the SSD based cracker is much faster than anything else out there.

  2. The high cracking speed is from Objectif’s use of SSD drives but also the storage of passwords in the weaker LM Hash method.

    If you have a Windows XP machine, a Windows Server 2003 Server(including Domain Servers!), or earlier, your system by default stores passwords in this way.

    Directions for turning off the storage of the LM Hash can be found on Microsoft’s website:

  3. Those Swiss are getting sloppy: after producing secure encryption devices that add the encryption key at the end of the message now they try to make money out of exploiting the NTLM password hash flow introduced by the idiot who designed it.

  4. It is very cool to see an implementation using SSD drives. I keep an 80GB, SATA disk laying around filled with rainbow tables and it can take up to about 10 minutes max (through a USB connection to the drive) to find/compare the correct LM hashes.

    As others have said, LM supports 14 character password max and splits that into two 7 character passwords. So each 7 character half is hashed separately. The method used here is a simple hash comparison. If you have two passwords exactly the same, hashed via LM, the hash will be the same. Now, if you have two NTLM passwords, the same, the hash will be different as there is “salt” or variance added to the algorithm.

    This prevents the simple hash comparison via rainbow tables that can be accomplished for LM hashes.

    Good post though, thanks for the information.

    1. Thanks for visiting. Checked out your site, it looks pretty interesting!

      True, Linux has been using Satled passwords forever. But because Windows is concerned about backward compatability, LM hashes are still around.

      I saw a report that mentioned that Sharepoint still uses LM hashes too.

      The raw speed of the SSD drive is what just amazes me. As you said the online cracker is basically doing lookups on two seperate 7 character passwords, so in effect it is cracking two 7 character passwords in about 5 seconds.

      Very impressive indeed!

      1. Yeah you are very right on LM hashes still being around and widely used. On actual computer forensics cases or during the course of pen-testing that I perform many people are still using XP with passwords under 14 characters with the default LM hash.

        As far as I’m concerned, anything that speeds up the process is good news to me :]

        I had not seen this free service by Objectif either. Pretty nice. I think it is inspiring me to dedicate an SSD just for this purpose.

  5. I just wanted to thank everyone for sharing this article and passing it along. Since it was released last week this article very surprisingly has been read over 10,000 times and I have read excerpts of it in 4 different languages!

    I want to thank too all those who have chipped in comments on this article on this site and other sites linking to it. You have provided some great information for users on password storage techniques and safety tips!

    Thank You!

    Oh, and by the way, a recent report stated that 74% of business computers are still using Windows XP. Please turn off LM Hashing! 🙂


  6. I found a simple, cheap way to protect against this kind of password cracking: I just don’t use them. In fact, I’m not even using PC’s anymore. Period. Crack that hackers!

  7. Pingback: Password Cracking
  8. Have you heard about the new plant DNA genetic encoding used on some cards? Some plants have more complicated DNA than animals.

    My son says more intellect that public officials as well.

  9. It’s nearly impossible to find experienced people on this subject, however, you sound like you know what you’re talking about! Thanks

  10. Does this only work for very easy passwords? My Hash turns up no results:

    1. I have used some pretty crazy passwords and it has gotten them. Is it using characters from the extended ASII set? I don’t think it will get some of them, but I have also had trouble trying to log into windows XP using them also.

      1. No extended characters from the ASII that I’m aware of. I know the password length is 11 places. Have you tried any passwords in your tests that include spaces? I’m not clear if the password hash above does either way. Any suggestions on any sites that run the extended chair sets for free?

      2. Ahh spaces, haven’t seen too many password crack lists that include a lot of spaces. I thought about making a password that was just 16 spaces, lol!

        Have you tried Hashcat? I have a couple tutorials on the blog here.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: