Is it possible to brute force all 8 character passwords in an offline attack?
As per this link, with speed of 1,000,000,000 Passwords/sec, cracking a 8 character password composed using 96 characters takes 83.5 days. Research presented at Password^12 in Norway shows that 8 character NTLM passwords are no longer safe. They can be cracked in 6 hours on machine which cost ~$8000 in 2012.
One important thing to consider is which algorithm is used to create these hashes (assuming you are talking about hashed passwords). If some computationally intensive algorithm is used, then the rate of password cracking can be reduced significantly. In the link above, author highlights that "the new cluster, even with its four-fold increase in speed, can make only 71,000 guesses against Bcrypt and 364,000 guesses against SHA512crypt."
I saw this is not updated to 2018.
Hashcat breaks an 8 chars full coverage (a-zA-Z0-9!-=) password in 26 days on a single 1080 Nvidia GPU.
Here's a picture of a mining rig with GPUs that could also just as well be set up for hash cracking:
Possible? yes, but what brute force recovery duration is accepted as possible? Some numbers for 8 chars PW if randomly chosen from a 94 character set:
- Windows PW (NTLM:1), using the above metioned 25 GPU recovery monster: 2.2 hours on average
- WiFi (PBKDF2/SHA1:4096) using an 8 GPU recovery system: 98 year on average
- 7ZIP (PBKDF2/SHA256:262144) using an 8 GPU recovery system: 26 centuries
So it is 'possible' for certain cases for us, may be yes in all above cases for some agencies.
Suppose your set of 'obtained' hashes contained 5 million password hashes, then even for the 98 year WiFi case, 145 keys will be found on day 1 (on average). If your password is amongst them, then you experience that also for the WiFi case it is indeed possible! .... if my calculations are right