An 8 character PASSWORD for Windows is weak!
In Unix systems it is a little better because of the hash that is used but not enough in my opinion.
A Windows NTLM 8 character password can be cracked in UNDER 6 HOURS!!! This was demonstrated on a cluster of computers with GPU graphics cards .... in 2012. The same capability can be built for less than $15,000 today. Heck, you can even RENT the system from a cloud provider. Many customers still use and support NTLM for backwards compatibility.
I recommend that everyone adopt a pass PHRASE. For example, "I love Denver!" is 14 characters and complex. If you really want to tighten things up, go with multi-factor authentication.
Remember, the login screen and password is the LAST line of defense. If that is compromised, there is very little left in terms of what can be done to protect the enterprise.
/soapbox
“In Unix systems it is a little better because of the hash that”
I see what you’re saying. A computer needs to have something inside of it so it knows when the correct password is typed. That “something” is the password that has been encrypted (hashed).
Hmmm. So if the hacker knows how this encryption scheme, and can find the encrypted password within the computer, he can compute the correct password.
The password thing is one aspect of hacking. The other aspect is a hacker getting harmful programs executed in the computer. This aspect is the biggest problem for me at home - something happens and all of a sudden my computer is messed up. Or maybe it’s having harmful stuff put into the registry, or having my browser messed with.
Pen testing and password cracking are two different things. Unless you can show a way to get the password hashes without insider access. But once you are a rogue insider then you have everything, cracking passwords is just gravy.