One RTX 4090 Is Faster at Password Cracking Than Three 6900XTs, Eight 1080s

hack password program code stock image
(Image credit: Shutterstock)

It's as good a time as any to do a health checkup on your password security practices. While it's interesting to point out that eight Nvidia RTX 4090 cards can break the most popular password length in under an hour, it's more important to be aware that the cost to break passwords has been plummeting with each new generation.

Twitter user Chick3nman is at it again, showing just this: He recently tested the current Best Graphics card, and found that a single RTX 4090 delivers Hashcat benchmark performance that's approximately eight times higher than the score achieved by eight GTX 1080s. That's also almost twice as fast as Nvidia's previous-generation RTX 3090. 

See more

Hashcat is a specialized software used to test graphics cards' cryptographic performance -- which can both mean encryption and decryption. And because graphics cards are highly parallel engines, they're especially attuned for cryptographic duties, where performance is calculated at hashes per second. After all, this is where the GPU mining crisis that lasted most of the 30-series' life came from: explosive performance per watt improvements (with a boost from Ethereum's pricing).

Of course, graphics cards are also capable of finding the correct password by trying every possible combination, what is known as a brute force attack. There are 96^8 possibilities for an 8-character password, and that's what the graphics card has to try to break. It's an unimaginably high number, coming in at a 16-digit figure. But they ace it. Eight of the new cards can crack that 8-digit password in 48 minutes, after all. The cost isn't negligible, but then again, it's lower than we likely imagined it to be.

Compute performance has been rising at much higher rates than pure-play graphics rendering. At 4K, the most demanding readily available resolution, the RTX 2080 Ti is around 26% faster than the GTX 1080 Ti. The generational jump made the RTX 3090 33% faster than the RTX 2080 Ti, and the RTX 4090 increases the generational performance further with its 33% increase.

This happens (partially) because Nvidia is a graphics processing unit company, not merely a gaming one. For generations, Nvidia has tailored its graphics cards more and more toward data center workloads, developing and adding hardware solutions (such as Tensor Cores) to accelerate them. With data center hardware achieving a much higher ASP (Average Sale Price) than that of consumer-geared products such as gaming graphics cards, it's no wonder that compute performance has grown at higher ratios than graphics rendering in the same timeframe. This is how graphics performance improved across Nvidia's top-tier GPUs, across generations:

Swipe to scroll horizontally
Performance Increase Among Top Tier Nvidia Graphics Cards Across Generations
Row 0 - Cell 0 Graphics performance Increase
RTX 4090+39%
RTX 3090+33%
RTX 2080 Ti+26%
GTX 1080 TiBaseline

In the meantime, Hashcat performance of the RTX 4090 is 800% higher that of the GTX 1080. Granted, the RTX 4090 tested was overclocked, but there's only so much extra performance that you can generate without compromising power efficiency.

This cryptographic compute performance increase is what enables a reduction in how much money a hacker would have to spend in order to crack a password. Remember that the hacker, too, has to invest in graphics cards (which have only increased in pricing across generations). That person further has to manage electrical and workload time costs to crack that eight-character password (incidentally, the world's most common password length as of 2017 was exactly eight characters). The lower the cost to hack is, the more attractive it becomes to hack a particular password. And the RTX 4090 halves that cost, despite its $1,599 MSRP.

Interestingly, Nvidia has been safely leading the Hashcat performance race. The RTX 4090 may be almost twice as fast as the RTX 3090 across workloads, but it's three times faster than AMD's RX 6900 XT. Of course, things could change with AMD's RDNA3-based cards (we'll know more by November 3rd); but Nvidia does currently enjoy a sizeable lead here. 

It's important to mention that your online passwords, or passwords protected by two-factor authentication, aren't the ones being discussed here: Those usually have mechanisms that prevent brute force attacks from working. This kind of attack is mostly directed at offline password cracking, where certain scenarios allow for these millions of attempts to be even tried. But certain scenarios, such as data leaks, could see passwords exposed: either directly viewable, as plain text, or as an encoded hash. These encoded hashes (the garble that results from the encryption process) are the encrypted data which the GPU then has to reverse-engineer towards your actual password. 

Passwords are one of the necessary evils of a technological world, the one thing standing between a hacker and whatever piece of digital you standing on the other side of the input window. But as time goes by and the cost to crack a privacy-protecting password plummets, it's perhaps wise to keep up with the times and adapt our security measures adequately. A good way to start would be to simply increase the length of passwords rather than increase memorization complexity: passphrases of strings of words like "yourpasswordreallyshouldn'tbedecrypted," alongside some special characters and/or using one of the Best Password managers may be the answer.

Francisco Pires
Freelance News Writer

Francisco Pires is a freelance news writer for Tom's Hardware with a soft side for quantum computing.

  • DavidLejdar
    Then again, not that cheap when the 4090 starts melting after cracking into merely 15 folders, or less with increased password length.

    Joke aside though, such decryption capability can certainly be an issue, especially in regard to targeted attacks. And moreso when an user has the same password across various sites - i.e. when using the same password for a gaming website and for e-mail account, then a leak of password at the gaming website would give the password for the e-mail account as well.

    Myself, even before 4090, I was considering to get an U2F Security token, such as Yubikey. That works with many webservices (except e.g. Steam at this point). And while it isn't completely foolproof, it seems to improve these matters quite some, without having to rely on a working non-hacked mobile phone.
  • husker
    Is 8 hours vs. 1 hour really that big of an issue here? If I told you I could empty your bank account in 1 hour instead of 8 hours I think the take away is that I could empty your bank account, not the number of hours it takes.
    To be clear, I cannot empty your bank account.