With EFS I have C:\$USER\ encrypted so all files owned and used by said user are encrypted.
If this laptop is stolen, am I correct that they could pull the microsoft user password hashes, crack them, then decrypt the files?
Unless things have changed, Microsoft account passwords aren't encrypted with a strong hashing algorithm, correct?
It depends on how EFS is set up, and what version of NTFS you're using. For the purposes of this question, I'm going to presume a modern version of NTFS (i.e. >=3.0) on a modern operating system like Windows 8.1 or 10.
In a single-user environment outside of a domain, by default, files are encrypted in a 3-stage process. First, a random File Encryption Key (FEK) is generated and used to encrypt the file with 3DES or DESX. This key is then encrypted using a user-specific asymmetric key pair, and this encrypted key is stored in the file's metadata. The asymmetric key pair is stored on-disk in an encrypted form, using a key known as the DPAPI Master Key.
The DPAPI Master Key is derived from a combination of the user's NTLM password and their SID (unique identifier for the user). When I say the NTLM password, I mean their logon password, not the NTLM hash of their password. The EFS master key is derived using the Password Based Key Derivation Function (PBKDF2), which is sometimes referred to as "RFC 2898 derivation" in the documentation. This master key is not only used to store the EFS asymmetric key pair, but also any at-rest data protected by DPAPI.
Since the DPAPI key is derived from the user's NTLM password, cracking the NTLM hash gives you the information you need to derive the DPAPI key, which would allow you to decrypt the EFS asymmetric key pair, which in turn allows you to decrypt the $EFS streams which hold the FEKs, which in turn again allow you to decrypt file data. There are off-the-shelf tools for doing this in a forensic capacity.
However, there are other environments and configurations for EFS. For example, in a domain environment, it is possible to have EFS-protected files accessible from multiple users using domain-backed encryption certificates. In fact, even in single-user accessible EFS files, the EFS asymmetric pair can be domain-backed, allowing for EFS encrypted files to be accessed from any terminal regardless of where the file was initially encrypted. It is also possible to place either the DPAPI master key or the the EFS asymmetric key pair for a user onto a smart card, thus bypassing the need for storage of them on disk at all. These configurations complicate the situation beyond the simple case of "crack NTLM and you get the EFS files".
Additionally, if you use BitLocker disk encryption, your DPAPI master keys can be encrypted using the BitLocker keys too, allowing them to be secured with a device such as a TPM, which can have additional authentication requirements (e.g. smart cards) before the keys are unlocked.
It should also be noted that, upon login, the system stores a cached copy of the DPAPI master key in memory in order to access certain encrypted memory segments and, of course, the EFS asymmetric key pair. If you're on a running system with administrative privileges, you can use a number of tools to dump the EFS keys, DPAPI master key, and LSA protected areas. This obviates having to crack the NTLM password at all.
Yes, if an attacker can crack your local password hash they can log in as you and have the same access to your encrypted files. You could export your EFS cert and private key to a PFX file protected with a separate password that would be harder to crack, but this would mean deleting it from your local key store when not in use and then importing it again every time you wanted to access your encrypted data. This may not be practical, especially if your entire user directory is encrypted.
Windows does still uses the NTLM hash, which is one of the fastest hashes when it comes to cracking (which is bad). However, even with as bad as the hashing is, if you are using a truly random 12+ character password there is almost no chance an attacker will be able to crack it.
