Security researchers show off the RTX 4090's password cracking power

Jimmy2x

Posts: 147   +12
Staff
Why it matters: Security researcher and password cracker Sam Croley posted benchmarks highlighting the RTX 4090's password-cracking muscle. Nvidia's newest flagship GPU shattered the RTX 3090's previous benchmark records and doubled performance across almost every algorithm tested. The cracked passwords adhered to security best practices and included random letter cases, symbols, and numbers.

According to Croley's tweet, the mammoth GPU was tested against Microsoft's well-known New Technology LAN Manager (NTLM) authentication protocol as well as the Bcrypt password-hacking function. All of the tests were conducted using Hashcat v6.2.6 in benchmark mode. Hashcat is a well-known and widely used password-cracking tool used by system administrators, cybersecurity professionals, and cybercriminals to test or guess user passwords.

Based on the benchmark findings, a fully outfitted password hashing rig with eight RTX 4090 GPUs would have the computing power to cycle through all 200 billion iterations of an eight-character password in 48 minutes. The sub-one-hour result is 2.5 times faster than the RTX 3090's previous record. Both benchmark measurements were conducted using only commercially available GPU hardware and related software.

The Hashcat software provides several attack types designed to facilitate password recovery assistance or, depending on the user, unauthorized access to another's accounts. These attack types include dictionary attacks, combinator attacks, mask attacks, rule-based attacks, and brute force attacks.

Many of the attacks available in Hashcat and other password-cracking tools can benefit from predictable human behaviors that often result in poor security practices. For example, an attack may first focus on well-known words, terms, or patterns in an attempt to minimize the amount of time required to crack the user's password. Using these types of lists and data in the attack can bring the time required to crack a password down from 48 minutes to mere milliseconds.

While the benchmark results may sound ominous, it's important to note that the approach may only have a limited set of real-world use cases. MIRACL Chief Operating Officer Grant Wyatt told ITPro.com that these types of attacks are typically relegated to offline assets due to online security tools, practices, and configurations.

Permalink to story.

 

mbk34

Posts: 426   +337
No security system would allow password attempts at this rate. Most of them would lock the account after 3 failed attempts. A bit of a pointless benchmark and fairly pointless reporting.
 

kiwigraeme

Posts: 1,404   +1,041
No security system would allow password attempts at this rate. Most of them would lock the account after 3 failed attempts. A bit of a pointless benchmark and fairly pointless reporting.

You are right - story about Microsoft limited bulk tries to get admin password recently - say what .

However - I'm no security expert - but when hackers get non salted hash tables or whatever that means - something like that - then they have access to unlimited attempts with no delays
 

mbk34

Posts: 426   +337
I'm no security expert - but when hackers get non salted hash tables or whatever that means - something like that - then they have access to unlimited attempts with no delays
That's slightly different. They will have stolen a database table containing user details and an encoded version of their password. The encoded passwords will be encoded into a fairly long, seemingly random, jumble of characters. They then need to find a random list of characters that will produce that same random string when it's encoded, They can then use this new password to log into the system they stole the database table from. The salt bit, is a way of altering the number so it's different each time which makes it more difficult to use on the source system.

You can only use this approach if you have the encoded passwords for users. You can't just randomly try logging into systems as those systems will detect the failed attempts and lock you out.
 

Vanderlinde

Posts: 212   +132
This is not about passwords, they want to show off how good it is for solving algorithms aka mining. Nobody cares anymore.

It's widely used. I used to crack sites as well. With former old school websites that still used MD5 as a hashing for passwords a CPU was used before GPU's where kind of mainstream.

A GPU like this caliber really flies through. most of the additional performance increase is just by increasing it's L1 and L2 cache as a respond to Infinity cache of AMD.
 
How about some information on how different password lengths affect this cracking? Even historical data on password lengths would help.
There are generally 95 characters that can be used in passwords, so a 9 character password would take 95 times longer to crack than an 8 character password and a 10 character password takes 95 times longer than a 9. n^95.
 
You are right - story about Microsoft limited bulk tries to get admin password recently - say what .

However - I'm no security expert - but when hackers get non salted hash tables or whatever that means - something like that - then they have access to unlimited attempts with no delays
This correct. Passwords are stored as hashes (basically encrypted) in databases for websites, or for windows, in the registry or active directory. The hackers will compromise the asset to get the hashes and then work on them offline. Online brute force attacks were well recognized a generally ineffective by 2000.
 

PEnnn

Posts: 1,011   +1,361
"a fully outfitted password hashing rig with eight RTX 4090 GPUs would have the computing power to cycle through all 200 billion iterations of an eight-character password in 48 minutes"

EIGHT 4090s and it took 48 minutes for a lousy 8 character password?? That's impressive??

What about 20-30 character passwords (like mine)?? It will probably take a thousand 4090s and an eternity!!

Yeah, sounds impressive and a great ROI to many hackers....

PS: Can we expect another article thrown at us praising the amazing 4090 in another day or 2??
 
No security system would allow password attempts at this rate. Most of them would lock the account after 3 failed attempts. A bit of a pointless benchmark and fairly pointless reporting.
You are correct. What they are glossing over is the fact that you must first have a hash of the password. Consider the hash to be an encrypted version of the password. The cracking software computes the hash of every possible password until it finds a hash which matches the original hash. You can't go backwards from a hash to a password, just from a password to a hash.
The faster a hash can be computed the less time it takes to find the matching hash.

I simplified two things.
1) The hash isn't actually an encrypted password, it is a unique value calculated from the password.
2) The software would not start by trying every possible. It would assume things like the user making the first character uppercase, and putting numbers and symbols at the end.

Each time you add a character to a password it takes 72 times longer to crack. (72 is the number of characters which could possibly be in the position, upper case, lower case, numbers, symbols).

For any of this to be relevant, there needs to be a data breech for the software to have a hash to match.
 

godrilla

Posts: 627   +340
"a fully outfitted password hashing rig with eight RTX 4090 GPUs would have the computing power to cycle through all 200 billion iterations of an eight-character password in 48 minutes"

EIGHT 4090s and it took 48 minutes for a lousy 8 character password?? That's impressive??

What about 20-30 character passwords (like mine)?? It will probably take a thousand 4090s and an eternity!!

Yeah, sounds impressive and a great ROI to many hackers....

PS: Can we expect another article thrown at us praising the amazing 4090 in another day or 2??
Passwords turned from words to sentences to paragraphs to essays. Don't you love it when you are limited to a maximum 8 character passwords with limited characters like no dots allowed or explanation mark! 😳 Some It departments still use archaic password requirements and encryption.
 

Darth Shiv

Posts: 2,330   +856
No security system would allow password attempts at this rate. Most of them would lock the account after 3 failed attempts. A bit of a pointless benchmark and fairly pointless reporting.
Most? First of all I think you are optimistic.

Secondly hash dumps are a treasure trove. Why? They give email addresses and passwords people are using and possibly have re-used on other sites. Offline cracking those passwords, you can then try arbitrary other ONLINE services that user may be using with a password you KNOW they have used somewhere.
 

J Oelschl

Posts: 24   +20
[
It's widely used. I used to crack sites as well. With former old school websites that still used MD5 as a hashing for passwords a CPU was used before GPU's where kind of mainstream.

A GPU like this caliber really flies through. most of the additional performance increase is just by increasing it's L1 and L2 cache as a respond to Infinity cache of AMD.

Exactly. I have just spent 82 hours trying to crack a password for a ZIP file I had. I could not remember anything about the password (length, type of characters used etc) so I had to use a brute force attack on it without limiting any charsets or length of the password. after 82 hours and 78 billion combinations checked it still did not crack the password. The hash rate was a paltry 245,000/second with zero GPU support (yes, my system is old and anemic) This card would have been a godsend. Sometimes average people forget passwords to archives or backups. I made the ZIP archive 13 years ago and I did not realize I had a default password set on WinZip. 🙄😡
 

Hodor

Posts: 436   +320
Since many passwords are "0000", "Admin" and "God" they can be cracked by Riva-TNT2 with 16 MB RAM (not 16 GB, that's too much).