Nvidia's flagship gaming GPU can crack complex passwords in under an hour

Nvidia RTX 4090
(Image credit: Nvidia)

The best graphics cards are great for gaming but can also help crack passwords. Hive Systems, a cybersecurity solution provider, has released the 2024 edition of its Hive Systems Password Table and some additional studies detailing how long it takes different Nvidia graphics cards to crack a password.

Unlike other studies where firms used AI to crack passwords, Hive Systems' approach is based on hashes. Hashing consists of scrambling the password into an enigmatic combination of letters and numbers. Servers store passwords in the form of hashes, so even if a hacker steals the database, they see the hashes, not the actual password. Hackers play around with different combinations of characters, hashing them and comparing them to stolen databases with password hashes to look for matches.

A computer is sufficient to perform hashing, but graphics cards, such as Nvidia's GeForce RTX 4090 or the A100, can accelerate the process substantially. Hive Systems utilized Hashcat, a hashing software, to benchmark the time required to crack different passwords. Unlike previous iterations of its research centered around MD5 hashing, Hive System included results with bcrypt, which is a more complicated password hashing algorithm to break than MD5.

Swipe to scroll horizontally
Graphics CardNumbers OnlyLowercase LettersUpper and Lowercase LettersNumbers, Upper and Lowercase LettersNumbers, Upper and Lowercase Letters, Symbols
GeForce RTX 2080Instantly6 Seconds24 Minutes2 Hours4 Hours
GeForce RTX 3090Instantly6 Seconds13 Minutes52 Minutes2 Hours
GeForce RTX 4090Instantly1 Seconds5 Minutes22 Minutes59 Minutes
A100 x 8InstantlyInstantly2 Minutes7 Minutes19 Minutes
A100 x 12InstantlyInstantly1 Minute5 Minutes12 Minutes
A100 x 10,000 (ChatGPT)InstantlyInstantlyInstantlyInstantly1 Second

With the first round of MD5 password hashes, Hive Systems used an example password with eight characters, following the NIST password guidelines. We'll concentrate on the more complex passwords with uppercase, lowercase, symbols, and numbers. The times are the best-case scenarios because non-randomly generated passwords are faster to crack.

 A GeForce RTX 4090, Nvidia's current gaming flagship, can crack the password in under an hour. Meanwhile, eight A100s can achieve a similar feat in less than 20 minutes. Something like a ChatGPT, which has access to tens of thousands of A100 accelerators, can crack the password in one second.

Swipe to scroll horizontally
Graphics CardNumbers OnlyLowercase LettersUpper and Lowercase LettersNumbers, Upper and Lowercase LettersNumbers, Upper and Lowercase Letters, Symbols
GeForce RTX 20802 Hours4 Months92 Years375 Years989 Years
GeForce RTX 309017 Minutes4 Weeks18 Years72 Years189 Years
GeForce RTX 40909 Minutes2 Weeks9 Years38 Years99 Years
A100 x 82 Minutes2 Days2 Years7 Years17 Years
A100 x 121 Minute2 Days1 Year4 Years12 Years
A100 x 10,000 (ChatGPT)Instantly3 Minutes11 Hours2 Days5 Days

With bcrypt, the hashing times soared. While the GeForce RTX 4090 only took 59 minutes to crack an MD5 hash, the same graphics card would need 99 years. The time increases from 20 minutes to 17 years, even on eight A100 accelerators. The only way sound way is to go down the ChatGPT route, but that implies you have a ton of cash to rent AI graphics card clusters to carry out your evil deeds.

While it may sound scary, there's no need to panic just yet. For starters, Hive Systems' research assumes that hackers have access to the hash, for example, from significant data breaches, such as the HaveIBeenPwned or LastPass. However, that's not always the case. The study also supposes that Multi-factor authentication (MFA) isn't active or has been bypassed on the attack. In this day and age, you should be using MFA for all your data-sensitive stuff. Even though MFA isn't foolproof because the attacker can likewise run a phishing attack on the victim, it adds a second layer of protection.

MD5 is over 30 years old, and many companies have moved on to more robust hashing algorithms, like bcrypt or pbkdf2. So, it's not just about having a strong password; security also depends on the other end. Even an eight-character NIST-compliant password can be challenging to crack if the service provider maintains good security practices and is up-to-date on the latest hashing algorithms.

Zhiye Liu
News Editor and Memory Reviewer

Zhiye Liu is a news editor and memory reviewer at Tom’s Hardware. Although he loves everything that’s hardware, he has a soft spot for CPUs, GPUs, and RAM.

  • CmdrShepard
    Again the same tiring shtick -- sensationalist title amounting to fear porn.

    And by the end of the article it is revealed that the scary title is for MD5 password hashing (probably without salt too) which nobody sane is using since like forever.
    Reply
  • thisisaname
    Someone tell Intel you can do it on a their CPUs too.
    Reply
  • dalauder
    I don't know a lot about brute force password hacking. But don't most online websites lock you out after a couple failed attempts? How a system check all passwords?

    This is only valid for things like encryption on local files, right?
    Reply
  • pixelpusher220
    dalauder said:
    I don't know a lot about brute force password hacking. But don't most online websites lock you out after a couple failed attempts? How a system check all passwords?

    This is only valid for things like encryption on local files, right?
    Yes, if they were trying to hit the actual system with each guess, that would stop it.

    This is an offline attempt to create every password, hash it, and see if the hash matches the hash you got from a breach. So all the 'hacking' is done offline and if they find it, they know they have the password (as of the time the hash was leaked).
    Reply
  • bobpuffer
    Admin said:
    Cybersecurity firm Hive Systems has released its 2024 iteration of the Hive Systems Password Table, which details how long it takes different graphics cards to crack a password.

    Nvidia's flagship gaming GPU can crack complex passwords in under an hour : Read more
    I also want to strongly urge you to use less climactic Language in your title. A stronger password than 8 characters should be expected It should also make it more clear that this is done offline. Cracking a password online is much more difficult because of the wait times after too many false submissions.
    Reply
  • blargh4
    MD5 was considered broken 20 years ago. Breaking an insecure hash is non-news.
    Reply
  • JTWrenn
    I hate that I clicked on this article because that title is click bait. Nobody clicked on this thinking you were talking about cracking the hashed files, in a database that would need to be hacked/stolen first, and be so out of date it's ridiculous.

    Please stop posting clickbait Toms. It's making all of us second guess coming here.
    Reply
  • CmdrShepard
    dalauder said:
    I don't know a lot about brute force password hacking. But don't most online websites lock you out after a couple failed attempts? How a system check all passwords?

    This is only valid for things like encryption on local files, right?
    The way this works is that they first have to obtain user database with hashed passwords.

    Then they can run bruteforce attack against those hashes to reverse them into text.

    The thing is, MD5 (and without a random salt value appended to boot) was never secure enough for password hashing. Think of a big CEO / company owner hiring their nephew who "knows computers" to make a website -- it's that sort of incompetence.

    Whoever is not using PBKDF2 or some alternative to transform plaintext passwords for offline storage should be held criminally liable for negligence at the minimum.

    All that makes this article totally pointless clickbait.
    Reply
  • TJ Hooker
    CmdrShepard said:
    The way this works is that they first have to obtain user database with hashed passwords.

    Then they can run bruteforce attack against those hashes to reverse them into text.

    The thing is, MD5 (and without a random salt value appended to boot) was never secure enough for password hashing. Think of a big CEO / company owner hiring their nephew who "knows computers" to make a website -- it's that sort of incompetence.

    Whoever is not using PBKDF2 or some alternative to transform plaintext passwords for offline storage should be held criminally liable for negligence at the minimum.

    All that makes this article totally pointless clickbait.
    The 2nd table and following text is based on bcrypt results, so that part is more or less legit. The title and first half is indeed essentially clickbait though.
    Reply
  • dalauder
    CmdrShepard said:
    The way this works is that they first have to obtain user database with hashed passwords.

    Then they can run bruteforce attack against those hashes to reverse them into text.

    The thing is, MD5 (and without a random salt value appended to boot) was never secure enough for password hashing. Think of a big CEO / company owner hiring their nephew who "knows computers" to make a website -- it's that sort of incompetence.

    Whoever is not using PBKDF2 or some alternative to transform plaintext passwords for offline storage should be held criminally liable for negligence at the minimum.

    All that makes this article totally pointless clickbait.
    Thanks. I see that bcrypt table now. Seems like a pretty safe timeframe. Nobody will be spending 2+ weeks just to hack my account, not knowing if it has anything of value in it. Maybe they'll do it for corporate accounts?
    Reply