Effect of hash type and password policy passwdqc vs. KoreLogic's DEFCON 2010 contest passwords Of the MD5-based crypt(3) hashes, teams cracked 33% passwdqc with default policy would permit 3.5% of cracked or 1.1% of all When a user's desired password is rejected, the user would not always pick a password that would not get cracked. Estimate: 1.9% would be crackable. Of the uncracked passwords, passwdqc would reject 45% and permit 55% Of the NTLM hashes, teams cracked 94% passwdqc with default policy would permit 35% of cracked or 33% of all Estimate: 53% would be crackable Of the few uncracked passwords, passwdqc would reject 14% and permit 86% To withstand offline attacks, both a decent hash type and a decent password policy should be used at once