Why it matters: Security researcher and password cracker Sam Croley posted benchmarks highlighting the RTX 4090's password-cracking muscle. Nvidia's newest flagship GPU shattered the RTX 3090's previous benchmark records and doubled performance across almost every algorithm tested. The cracked passwords adhered to security best practices and included random letter cases, symbols, and numbers.
According to Croley's tweet, the mammoth GPU was tested against Microsoft's well-known New Technology LAN Manager (NTLM) authentication protocol as well as the Bcrypt password-hacking function. All of the tests were conducted using Hashcat v6.2.6 in benchmark mode. Hashcat is a well-known and widely used password-cracking tool used by system administrators, cybersecurity professionals, and cybercriminals to test or guess user passwords.
First @hashcat benchmarks on the new @nvidia RTX 4090! Coming in at an insane >2x uplift over the 3090 for nearly every algorithm. Easily capable of setting records: 300GH/s NTLM and 200kh/s bcrypt w/ OC! Thanks to blazer for the run. Full benchmarks here: https://t.co/Bftucib7P9 pic.twitter.com/KHV5yCUkV4
--- Chick3nman " (@Chick3nman512) October 14, 2022
Based on the benchmark findings, a fully outfitted password hashing rig with eight RTX 4090 GPUs would have the computing power to cycle through all 200 billion iterations of an eight-character password in 48 minutes. The sub-one-hour result is 2.5 times faster than the RTX 3090's previous record. Both benchmark measurements were conducted using only commercially available GPU hardware and related software.
The Hashcat software provides several attack types designed to facilitate password recovery assistance or, depending on the user, unauthorized access to another's accounts. These attack types include dictionary attacks, combinator attacks, mask attacks, rule-based attacks, and brute force attacks.
Many of the attacks available in Hashcat and other password-cracking tools can benefit from predictable human behaviors that often result in poor security practices. For example, an attack may first focus on well-known words, terms, or patterns in an attempt to minimize the amount of time required to crack the user's password. Using these types of lists and data in the attack can bring the time required to crack a password down from 48 minutes to mere milliseconds.
While the benchmark results may sound ominous, it's important to note that the approach may only have a limited set of real-world use cases. MIRACL Chief Operating Officer Grant Wyatt told ITPro.com that these types of attacks are typically relegated to offline assets due to online security tools, practices, and configurations.