Just A Few GeForce RTX 4090 Cards Can Crack Your Passwords In Under An Hour
Security analyst Sam Croley is a specialist in password cracking, and has just found a new best friend: the NVIDIA GeForce RTX 4090. Impressively, the Ada Lovelace architecture flagship graphics card is over twice as fast at password cracking as its direct Ampere architecture predecessor. What this means in practical terms is that someone wishing to crack or recover an eight-character password with a rig featuring an octet of RTX 4090 cards, can reliably do so in under 50 minutes.
While most tech enthusiasts have been busy trying to see how many FPS they can get in various demanding modern games titles, Croley says he has compiled the first Hashcat password cracking tool benchmarks using systems based around the new $1,599 MSRP (but sometimes much pricier) GPU.
In Croley's tests, the RTX 4090 was assessed using hashes generated by Microsoft's New Technology LAN Manager (NTLM) authentication protocol, plus Bcrypt. Complex non-dictionary passwords were used in these tests—including random letter cases, numbers, and even symbols—to make it hard for the cracking tool. Hashcat uses several different algorithms to try and crack output from password hashing tools, and version 6.2.6 of the software was used in benchmark mode to assess the capabilities of the new RTX 4090. Excitedly, Croley Tweeted that the GeForce RTX 4090's performance was "Coming in at an insane >2x uplift over the 3090 for nearly every algorithm," He also suggested that the new GPU was easily capable of setting records, thanks to its 300GH/s NTLM and 200kh/s Bcrypt performance with overclocking.
So, what is the implication of Croley's benchmark run, in layman's terms? Firstly, the RTX 4090 seems to have almost 2.5x the cracking power of the RTX 3090 for a modest price hike. Secondly, it appears to mean that someone with a rig of eight RTX 4090 graphics cards can crack a complex password of up to eight characters in just 48 minutes. Remember the input passwords were complex in nature (mixing lower- and upper-case letters, numbers and symbols). If a user decided to use a dictionary word, or a shorter word as a password, it would be unearthed much faster.
It might be worrying to read that your gobbledegook eight letter password can be cracked in under an hour by an octa-RTX 4090 rig, but the cracking tool was working under ideal conditions on local / offline files. If trying to crack a web-service password, for example, a cracking system would be faced with a lot of time-sapping and repeat attempt suffocating security checks. Still, this is concerning for any time a malicious actor is able to get a hold of a password hash database, so we would like to remind our readers not to reuse passwords.