Nvidia RTX 5090 can crack an 8-digit passcode in just 3 hours — password cracking benchmarks show tremendous performance

News
By published

When it comes to password hacking, the RTX 5090 is anywhere between 33% and twice as fast as the RTX 4090.

GeForce RTX 5090 Founders Edition
(Image credit: Nvidia)

The RTX 5090 is not only good for gaming and AI — it also excels at password cracking. Hive Systems updated its password cracking benchmark suite with 12 RTX 5090 graphics cards — Nvidia's fastest and best graphics card for gaming currently, and found all twelve cards working together can break simple eight-character passwords in under 15 minutes.

Hive Systems is in its 5th year of benchmarking password cracking times on GPUs; the last update they made was in 2024, featuring the RTX 4090. Rather than cracking an actual password itself, the outlet cracks hashes, which are scrambled versions of reproducible text generated by software.

Hashes are a popular method for securing customer passwords against hackers by storing customer passwords as hashes on servers. When hackers go to steal a password database from a company's server that is secured with hashing, all they will see are hashes of the passwords they represent rather than the actual passwords themselves.

Hive Systems' password cracking times, featuring the RTX 5090

(Image credit: Hive Systems)

Cracking passwords with this method involves making a list of all possible combinations of characters to make a password, then matching them to a stolen database featuring password hashes. Graphics cards are particularly good at this methodology due to highly parallelized computing capabilities.

With 12 RTX 5090s, Hive Systems found Nvidia's latest flagship can crack the hash equivalent of eight-character passwords featuring numbers only in just 15 minutes. Passwords comprised of eight lower-case letters, the dozen RTX 5090s were able to crack in 3 weeks.

On the other end of the spectrum, passwords taking advantage of numbers, upper and lowercase letters would take 12 RTX 5090s 62 years to crack, and 164 years to crack with symbols added into the mix.

For a generation-on-generation perspective, a single RTX 5090 can crack a numerical-only password hash with eight characters in three hours. A single RTX 4090 can accomplish the same task in four hours, representing a 33% performance improvement for the RTX 5090 over the RTX 4090 in this specific scenario.

However, as the password complexity increases, the RTX 5090 becomes faster and faster in comparison. Moving up to a hash representing an eight-character password made up of numbers, upper and lowercase letters combined with symbols, the RTX 5090 is allegedly twice as fast as the RTX 4090. But cracking a password that complex would take the RTX 5090 a millennium to accomplish.

Hive Systems' research demonstrates the dangers of low complexity passwords and how adding just a bit of complexity in the form of symbols, capitalized letters, and numbers can make a huge difference for security. The good news is that cracking hashes in the way Hive Systems demonstrates requires hackers to have a stolen database of password hashes in the first place. Without this, hackers can't brute-force hack password hashes.

See more GPUs News
Aaron Klotz
Aaron Klotz
Contributing Writer

Aaron Klotz is a contributing writer for Tom’s Hardware, covering news related to computer hardware such as CPUs, and graphics cards.

More about gpus

Nvidia's RTX 5060 will launch without reviews since chipmaker opts not to supply press drivers to reviewers

RTX 5060 reviews are reportedly in jeopardy — Nvidia allegedly withholding pre-release drivers from reviewers

China's premiere chipmaker SMIC faces chip yield woes as equipment maintenance and validation efforts stall
See more latest
6 Comments Comment from the forums
  • Zforgetaboutit
    I feel the title is missleading/vague/clickbait: it looks like a single GPU can achieve the claimed activity in 3 hours.
    Reply
  • Jame5
    It can. A single 5090 can crack an 8 digit passcode (numbers only) in 3 hours. It shows it directly in the chart embedded in the article.
    Reply
  • araczynski
    Title is fake clickbait, must be competing with Engadget now?
    Reply
  • Alvar "Miles" Udell
    And this is why most places won't let you make a password that doesn't include a combination of upper case and lower case letters, numbers, and special characters.

    But also most places also have at least basic SMS or email 2FA passcodes, and those that don't, like forums and other low security places, have Google or other sign in options which themselves are 2FA'd.

    TH should do an article "Why you should have a 'junk' Google account" exactly for situations like that.
    Reply
  • DS426
    "The good news is that cracking hashes in the way Hive Systems demonstrates requires hackers to have a stolen database of password hashes in the first place. Without this, hackers can't brute-force hack password hashes." - Author

    To broad. A measly Radeon 7900 XTX ramming thru about 100 million NTLM hashes per second could purely brute force in about 25 days for an 8-character password with letters and numbers. Interestingly, bcrypt with a cost of 10 increases this number to about 17,000 years, demonstrating how much impact the different hashing algorithms have on password anti-cracking security.

    Would have been nice to also show their table that shows longer passwords as this really drives the message home on the importance of longer passwords.

    Don't want to give a false sense of security when possible. Hackers can and will use even more GPU's to speed up this process, such as distributed clusters of multi-GPU systems, and cracking tools exist that are able to utilize those (>12 GPU's). Yes, it's going to be cost-prohibitive outside of well-resourced attackers, though renting GPU compute is possible and might be done for targetted attacks where continuous or near-continuous 24/7/365 hashing isn't needed.
    Reply
  • LaminarFlow
    I'm absolutely in favor of enforcing long password with special characters when creating one.

    But please for the love of god don't force me to use only specific special characters deemed worthy for whatever reason.
    Reply
Most Popular
SMIC
China's premiere chipmaker SMIC faces chip yield woes as equipment maintenance and validation efforts stall
Noctua NM-IMB8 offset mounting bars for Arrow Lake
Noctua NH-D15 G2 gains offset mounting bars for Arrow Lake CPUs to optimize cooling performance
RISC-V Laptop
RISC-V makes its way into DeepComputing's $349 AI PC
Arm
Lenovo's in-house Arm chip could rival Qualcomm and MediaTek, spotted in Yoga Pad Pro 2-in-1 convertible
Nvidia Hopper H100 die shot
Nvidia readies cut-down HGX H20 GPU for China to comply with export control rules
Lego Brick construction
LegoGPT creates Lego designs using AI and text inputs — tool now available for free to the public
Huawei MateBook X Pro
Huawei's Kirin X90 may be the company's 'Apple Silicon' moment — Matebook Pro 2025 features in-house hardware and software
Nvidia GB10
Nvidia's GB10 Superchip trails Apple's M3 and Qualcomm's Snapdragon X Elite in latest benchmarks
Gigabyte RTX 5060/Ti lineup
Nvidia's RTX 5060 will launch without reviews since chipmaker opts not to supply press drivers to reviewers
Hygon CPU
Chinese chipmaker readies 128-core, 512-thread CPU with AVX-512 and 16-channel DDR5-5600 support