Nvidia’s RTX 4090 graphics card is a bit of a dab hand when it comes to the power and brute force needed to crack passwords, it would seem.
As Tom’s Hardware reports, this comes from a security researcher, Sam Croley, who tweeted about the RTX 4090’s muscle for this task, as gauged by benchmarks run with HashCat (a password cracking tool).
First @hashcat benchmarks on the new @nvidia RTX 4090! Coming in at an insane >2x uplift over the 3090 for nearly every algorithm. Easily capable of setting records: 300GH/s NTLM and 200kh/s bcrypt w/ OC! Thanks to blazer for the run. Full benchmarks here: https://t.co/Bftucib7P9 pic.twitter.com/KHV5yCUkV4October 14, 2022
It seems the new Lovelace flagship has an “insane” uplift in cracking performance of over two times compared to the RTX 3090 for “nearly every algorithm”. The new GPU was particularly adept at brute force attacks, combinator attacks, dictionary attacks, mask attacks, and rule-based attacks.
As Tom’s observes, an estimate is provided that a system built specifically for cracking, using eight RTX 4090 graphics cards (yes, a pricey endeavor) could uncover a password of eight characters in length – the most common amount – in less than an hour (48 minutes).
If you’re talking about insecure passwords – you know the sort, ‘password’, ‘123456’ or slightly more complicated but generally simple efforts – then they can be cracked in the blink of an eye, more or less.
Analysis: Password fears as more powerful cracking tech becomes more accessible
All this sounds pretty worrying, of course, but it doesn’t mean your password defenses will crumble tomorrow (unless you are using simplistic passwords, or reusing passwords across sites, or any of those other bad security practices which, to be fair, don’t require an RTX 4090 in the wrong hands to get you in hot water).
What this does serve is a reminder of how in-reach this kind of computing power now is, with a somewhat well-off gamer or PC enthusiast being able to grab an RTX 4090, and possibly misuse it along these lines.
How about really secure passwords? Or indeed those concocted by a password manager in all their seriously complex glory? Croley addresses a query in that Twitter thread where a user asks how long it’d take to fell a 15-character NTLM (Microsoft’s New Technology LAN Manager) password.
Croley replies: “If it’s randomly generated with something like a password manager, too long. There are 95 characters in the common ‘full character set’, and 95^15 is too large of a keyspace for pretty much anyone to attack. Doesn’t really matter how many 4090s or who they are, it’s still too big.”
So is this an argument for getting yourself a password manager, then? Perhaps, and it’s certainly food for thought. If you’re mulling over grabbing such an app, then hop on over to our roundup of the best password managers, where we pick out the top performers in this field. And if you don’t use an app to keep your passwords watertight, make sure you aren’t taking silly shortcuts like using obvious passwords, or jotting them down in a pad somewhere, or similar…