Nvidia RTX 4090 can crack complex 8-character passwords in minutes

[DragonSlayer101]

The big picture: People are often advised to create complex passwords using random lower and uppercase letters, symbols, and numbers to prevent brute-force attacks. However, a new report suggests that Nvidia's latest GPUs, like the RTX 4090 and the A100, can crack even the most complex of passwords within minutes.

According to Hive Systems, hackers are finding it increasingly difficult to crack passwords, thanks to the widespread use of stronger hashing algorithms like bcrypt, which is replacing MD5 as the hashing technology of choice for most websites and online services. But as hardware gets more powerful, cracking simple passwords is becoming quicker and easier with every passing year.

As per the 2024 edition of the Hive Systems Password Table, an 8-character password can be cracked by an array of 12 RTX 4090 GPUs in just 37 seconds if it includes only numbers with no letters or symbols. However, the time rises to an impressive 7 years if the password uses the recommended mix of numbers, upper and lowercase letters, and symbols, making it much more difficult to crack using brute force.

Hive also tested the password-cracking ability of 10,000 A100 GPUs - the same hardware that runs ChatGPT. According to the data, the state-of-the-art hardware can theoretically crack randomly generated 8-character bcrypt password hashes in just 5 days. While it won't be practical for the vast majority of cybercrime syndicates to use this sort of hardware, it does give us an idea about what hackers can do if granted an unlimited budget.

The numbers are significantly lower for passwords protected by MD5 hashes. In this case, just a single RTX 4090 can crack a complex 8-character password with numbers, lower- and uppercase letters, and symbols, in just 59 minutes. That's a significant step-up from the RTX 3090, which would take 2 hours to crack the same password. The study echoes the findings of security researcher Sam Croley, whose data from 2022 seemed to show that the new gaming flagship is more than 2x faster than the RTX 3090 in cracking passwords.

Hive used a hashing software called Hashcat to measure the time required to crack the passwords. Do note that the study does not take into account the use of Multi-factor authentication (MFA), which is becoming more common with every passing day. Most cybersecurity professionals advise people to use MFA on all their online accounts to add a second layer of protection.

Permalink to story:

Nvidia RTX 4090 can crack complex 8-character passwords in minutes

 

[redgarl]

This was well known for more than a year, and it is limited to password with 8 characters or below.

This is only achievable with a brute force approach, so it doesn't apply to any online login that will lock you up after a couple of attempts.

If you want to know if your password lenght and complexity are secure, I suggest you to go take a look at:

How Secure Is My Password? | Password Strength Checker

Passwords are the bloodline of data and online security, but our research on the password habits in the U.S. shows that less than half of Americans feel

www.security.org

 

[Lowhangingfruit]

Brute force is very useful when you have a dump of someone's database, as happened with the Lastpass Vault theft.

If you can identify high worth individuals or companies, then this is very much the next step.

 

[mbk34]

Brute force is very useful when you have a dump of someone's database, as happened with the Lastpass Vault theft.

If you can identify high worth individuals or companies, then this is very much the next step.

I can understand how the hardware can generate billions of possible matches against a given MD5 key but how would you use those billion possible password to log into anything?

 

[Slappy McPhee]

Lmao...complex 8 character in an oximoron

 

[DanteSmith]

Nvidia strengthening scammers and crackers who would have thought.

 

[yRaz]

I can crack jokes that are funny to 8 people

 

[Neatfeatguy]

If you want to know if your password lenght and complexity are secure, I suggest you to go take a look at:

How Secure Is My Password? | Password Strength Checker

Passwords are the bloodline of data and online security, but our research on the password habits in the U.S. shows that less than half of Americans feel

www.security.org

According to the site:

"a" = 6 hundred picoseconds
"aa" = 16 nanoseconds
"aaa" = 4 hundred nanoseconds
"aaaa" = Instantly
"aaaaa" = Instantly
"aaaaaa" = Instantly
"aaaaaaa" = Instantly
"aaaaaaaa" = Instantly
"aaaaaaaaa" = 2 minutes
"aaaaaaaaaa" = 58 minutes
"aaaaaaaaaaa" = 1 day
"aaaaaaaaaaaa" = 3 weeks
"aaaaaaaaaaaaa" = 1 year
....
"aaaaaaaaaaaaaaaaaaaa" = 15 billion years

Looks like just using a crap ton of lower case letter "a"s is looking pretty promising.

Anyone that reads this, you can't use this for your password - it's mine! I claim it. Get your own.

 

[Macro]

The numbers in the bcrypt table are way too low. If you read the original source for the table you'll see that they used 32 iterations. That means they used a rounds of 5 because bcrypt uses powers of 2 for that parameter. A standard value to use ten years ago was rounds equal to 10 which means 1024 iterations rather than the 32 they used for the table. Newer software is supposed to default to at least 12.

Even ancient software used rounds equal to 10 so you should really multiply the values in that bcrypt table by 32 to get more realistic numbers.

 

[nnguy2]

Can't you just use an lock out after x incorrect attempts and nullify brute force method?

 

[BobHome]

Can't you just use an lock out after x incorrect attempts and nullify brute force method?

Only if the web site is set up for that. Many banks limit the number of tries, but I bet on this site you could try thousands of times without it locking you out.

 

[Macro]

Can't you just use an lock out after x incorrect attempts and nullify brute force method?

The table in the article lists how long it takes to guess the password from the secure hash number. That is assuming the "hacker" stole the hash numbers off the server in the first place. The point of storing hash numbers on the server instead of the password is that you can't log on with a hash number - only with a password which generates the hash number. So if somebody steals the hash number off the server you're still good.

The table doesn't give times for external logon attempts. It gives how long it takes to guess the password assuming you have the hash number. Well, assuming you have twelve 4090s laying around.

 

[nnguy2]

The table in the article lists how long it takes to guess the password from the secure hash number. That is assuming the "hacker" stole the hash numbers off the server in the first place. The point of storing hash numbers on the server instead of the password is that you can't log on with a hash number - only with a password which generates the hash number. So if somebody steals the hash number off the server you're still good.

The table doesn't give times for external logon attempts. It gives how long it takes to guess the password assuming you have the hash number. Well, assuming you have twelve 4090s laying around.

ok sounds like P@$$word12345 will keep me safe for a bit still....

 

[Beerfloat]

Only if the web site is set up for that. Many banks limit the number of tries, but I bet on this site you could try thousands of times without it locking you out.

That would go a long way to explain some of the posts that people see fit to put here.

 

[ET3D]

So the title "Nvidia RTX 4090 can crack complex 8-character passwords in minutes" is more like "Nvidia RTX 4090 can crack complex 8-character passwords in an hour, if protected only by MD5".