Eight RTX 4090s Can Break Passwords in Under an Hour

RTX 4090 Founders Edition
(Image credit: Nvidia)

Security researcher Sam Croley took to Twitter to share just how incredible Nvidia's new RTX 4090 really is... at cracking passwords. It turns out it's twice as fast as the previous leader, the RTX 3090, at breaking one of your passwords — even when faced off against Microsoft's New Technology LAN Manager (NTLM) authentication protocol and the Bcrypt password-hacking function. 

Essentially, this means that any wealthy gamer sporting the RTX 4090 can crack an average password in a matter of days — and that's if you follow good password-setting practices (and most of us definitely don't).  

The benchmark, HashCat V.6.2.6., is a renowned password-cracking tool that lays best in the hands of system administrators and cybersecurity professionals (of which Croley was a core programmer, by the way). It allows researchers to test or guess user passwords in the few situations that might require it. 

Unfortunately, this means that cybercriminals can do it, too. And with the evolution in graphical user interfaces (GUIs) and the ease of use of these programs in modern computers sporting a high-performance graphics card, it's become easier than ever to deploy these tools.

In testing, the RTX 4090 trumps the RTX 3090 in almost every algorithm with almost doubled performance — which isn't that shocking, even if that still represents a higher performance improvement than we see in the RTX 4090's graphics performance. This is likely the result of Nvidia still investing a lot of its graphics chip design development to increase its performance on the data-center side. The RTX 4090 shone across the several attack types provided in the HashCat software: dictionary attacks, combinator attacks, mask attacks, rule-based attacks, and brute force attacks.

The researchers estimate that a purpose-built password hashing rig (pairing eight RTX 4090 GPUs) could crack an eight-character password in 48 minutes. According to Statista and from 2017 data, 8-character passwords are the most common among leaked passwords, commanding a 32% share of them. This doesn't mean that they're the least safe; it just very likely means that it's the most common password character length. And they can now be taken out in under an hour by a "specialized" hashing rig.

Of course, that assumes that the password is as least eight characters long and that it follows the required conventions (at least one number and a special character included). When HashCat is driven to test the most commonly used passwords, however, it can bring a theoretical 48 minute cracking operation that attempted all 200 billion possible combinations down to the millisecond range. But then, that was to be expected: even a human would be extremely fast in cracking a password such as "123456" — apparently the most common password of 2021.

Another interesting element to note is that password cracking naturally has an associated cost; investing in a $1,600 RTX 4090 is costly, and each attempt at cracking a password will incur in power costs as well. So it's not just a matter of will. What the RTX 4090 does is bring down the cost to actually crack passwords — something that happens as long as more powerful GPUs come out while security algorithms remain relatively static. Jacob Egner has an extremely detailed and interesting analysis on his blogpost detailing his discoveries on the $/hash ratios. 

Of course, another chip on cybersecurity's shoulder is the amount of data that needs to be encrypted against the inexorable development of quantum computing — computers that will render almost all currently-used encryption schemes pedestrian. Looking at the cost decreases in password-cracking just with GPUs, however, it seems that current security should be upgraded to newer, post-quantum algorithms sooner rather than later.

Relax — not every RTX 4090 owner will turn their top-tier graphics card towards a password-cracking pastime. Additionally, the password-cracking ease of tools such as HashCat are usually deployed against offline assets, not online ones. This means that the chances of your PC being the target of a deranged RTX 4090-owner cracking passwords at will are slim — so slim they're almost nonexistent. 

Yet, in light of this, perhaps it's still a good idea to brush up on online security best practices, starting with storing lengthier passwords in one of the best password managers.

Francisco Pires
Freelance News Writer

Francisco Pires is a freelance news writer for Tom's Hardware with a soft side for quantum computing.

  • ezst036
    Who needs Quantum computing?
    Reply
  • 9cento
    So one RTX 4090 could break a password in 8 hours? I mean I can wait
    Reply
  • RichardtST
    Well, there are a few caveats.... If your password looks like random gibberish then the device would not even know that it had succeeded and cruise right by it. And most password-protected devices these days have timeouts and limited retries exactly to prevent machines from trying a bazillion in an instant. Sorry, three tries and you're locked out for 24 hours.

    What it does do, however, is to create a big mess for crypto/security in general. It used to be a pain to crack a secure encrypted connection. Now it is not. Random password or no, I can rerun your packet streams with different keys as many times and as fast as I want.

    You think you get privacy with your VPN? Lol! No.
    Reply
  • derekullo
    Was experimenting with John the Ripper and Hashcat just last month to see if I could crack zip and rar files that I made myself.
    (Not the same as the NTLM cracking the article mentioned, but its what I had!)

    Could never get hashcat to run so I focused more on John the Ripper.

    Highly likely it was user error lol.

    At least with John the Ripper which uses your CPU any password protected zip file with a password from 0-4 letters was cracked almost instantly, 5 letter password took about 2 minutes, 6 letter password was 4-5hours and 7 letters was multiple days. 8 letters was estimating something like 2 months, but I didn't let that test finish.

    The CPU I was using was an i7-11370H Processor in an alienware laptop, 4 cores 8 threads, 4.8Ghz.

    Definitely not the most capable CPU for the task, but it was what I had for testing and much closer to a middle ground than something like an i9-12900k

    If we say an i7-11370H with John the Ripper could crack an 8 letter password in 2 months then doing some quick math 24hours x 30days x 2months = 1440 hours / 8 hours = 180

    We can say that 180 of the i7-11370H = 1 Geforce 4090 which is highly impressive

    I'd imagine 180 of the i7-11370H would cost more than a single $4090. (They would have to be less than $8 each along with the rest of the computer and complexity setting it all up!)
    Reply
  • derekullo
    Moral of the story is even for some one without a 4090 and just a run of the mill i7 any password length from 0 -7 is easily crackable and is therefore unsafe.
    Reply
  • derekullo
    RichardtST said:
    Well, there are a few caveats.... If your password looks like random gibberish then the device would not even know that it had succeeded and cruise right by it. And most password-protected devices these days have timeouts and limited retries exactly to prevent machines from trying a bazillion in an instant. Sorry, three tries and you're locked out for 24 hours.

    What it does do, however, is to create a big mess for crypto/security in general. It used to be a pain to crack a secure encrypted connection. Now it is not. Random password or no, I can rerun your packet streams with different keys as many times and as fast as I want.

    You think you get privacy with your VPN? Lol! No.
    I wanna say in the asci character set (the literal keyboard characters you can type) there are 96 possible characters (a-z,0-9,!?><, ....) and so for each letter you raise it by that same power 96^1 is ... 96 possible passwords, 2 letters would be 96^2 or 9216, by the time you get to 8 letters you would have 7,213,895,789,838,336 possible password combinations.

    The program literally tries every possible combination of characters in a brute force attack.

    For most of the password "tries" it gets the response of NOPE until eventually it cycles through all possible passwords and arrives on the correct one.

    It is quite literally like having 2 billion physical keys and trying to open a lock ... youll know when it opens.

    The big difference is you can't try 3 million keys in a second!

    It makes no difference if the password is 12345 or 1}(@!

    Of course having a 3 tries and you're done for 24 hours would stop any bruteforce attacks trying to hack a password for that, but for anything without a timeout you need an especially complex password.
    Reply
  • TJ Hooker
    RichardtST said:
    Well, there are a few caveats.... If your password looks like random gibberish then the device would not even know that it had succeeded and cruise right by it. And most password-protected devices these days have timeouts and limited retries exactly to prevent machines from trying a bazillion in an instant. Sorry, three tries and you're locked out for 24 hours.

    What it does do, however, is to create a big mess for crypto/security in general. It used to be a pain to crack a secure encrypted connection. Now it is not. Random password or no, I can rerun your packet streams with different keys as many times and as fast as I want.

    You think you get privacy with your VPN? Lol! No.
    Hashcat works by the user providing a list of password hashes, and Hashcat starts hashing potential passwords until it finds one that has a hash that matches one from the list. Whether the password is a dictionary word, a random string, whatever, has no impact on being able to detect a match.

    And no, you can't break modern internet encryption (e.g. HTTPS, VPN, etc.) with Hashcat and some RTX 4090's.
    Reply
  • qayin
    Some misinformation in the artical and comments.

    First, @derekullo, this article is about OFFLINE password cracking (which is what Hashcat is used for) so anything "online" (i.e "Of course having a 3 tries and you're done for 24") is unrelated.

    Additionally, there is a HUGE difference is the password is 12345 or 1}(@!, as most of us cracked by difficulty, so even if we brute force, we always start short (password length> complexity), and when cracking NT hashes, attempting all options under 6 characters will take short second (-m1000 -a3 -i ?a?a?a?a?a?a)

    Regarding the article, this is only a single hash algorithm, and one of the easiest to crack, out of many many many more. While this one is used by windows OS, (which cracking is usually unnecessary for if you have internal network access), most chances are our passwords for websites are stored in other, far more complex hashes (i.e not cracked in hours or days), at least for websites using modern software.
    Reply
  • derekullo
    qayin said:
    Some misinformation in the artical and comments.

    First, @derekullo, this article is about OFFLINE password cracking (which is what Hashcat is used for) so anything "online" (i.e "Of course having a 3 tries and you're done for 24") is unrelated.

    Additionally, there is a HUGE difference is the password is 12345 or 1}(@!, as most of us cracked by difficulty, so even if we brute force, we always start short (password length> complexity), and when cracking NT hashes, attempting all options under 6 characters will take short second (-m1000 -a3 -i ?a?a?a?a?a?a)

    Regarding the article, this is only a single hash algorithm, and one of the easiest to crack, out of many many many more. While this one is used by windows OS, (which cracking is usually unnecessary for if you have internal network access), most chances are our passwords for websites are stored in other, far more complex hashes (i.e not cracked in hours or days), at least for websites using modern software.
    I was addressing RichardtST concerns mentioning timeouts.

    I said many times i was testing with local/offline zip files I created for testing purposes.

    A 5 letter password is highly insecure regardless if its 12345 or 1}(@! was the point I was making, gibberish or not the program does not care how elegant the password is.

    12345 would be cracked nearly instantly due to it being a common password, with 1}(@! taking 2 minutes at most.
    Reply
  • derekullo
    In the past Tom's has been very strict regarding discussing password cracking and so I was being intentionally vague in order to not break any rules.

    Very surprised they published this article to begin with.
    Reply