Eight RTX 4090s Can Break Passwords in Under an Hour
Security researcher Sam Croley took to Twitter to share just how incredible Nvidia's new RTX 4090 really is... at cracking passwords. It turns out it's twice as fast as the previous leader, the RTX 3090, at breaking one of your passwords — even when faced off against Microsoft's New Technology LAN Manager (NTLM) authentication protocol and the Bcrypt password-hacking function.
Essentially, this means that any wealthy gamer sporting the RTX 4090 can crack an average password in a matter of days — and that's if you follow good password-setting practices (and most of us definitely don't).
The benchmark, HashCat V.6.2.6., is a renowned password-cracking tool that lays best in the hands of system administrators and cybersecurity professionals (of which Croley was a core programmer, by the way). It allows researchers to test or guess user passwords in the few situations that might require it.
Unfortunately, this means that cybercriminals can do it, too. And with the evolution in graphical user interfaces (GUIs) and the ease of use of these programs in modern computers sporting a high-performance graphics card, it's become easier than ever to deploy these tools.
First @hashcat benchmarks on the new @nvidia RTX 4090! Coming in at an insane >2x uplift over the 3090 for nearly every algorithm. Easily capable of setting records: 300GH/s NTLM and 200kh/s bcrypt w/ OC! Thanks to blazer for the run. Full benchmarks here: https://t.co/Bftucib7P9 pic.twitter.com/KHV5yCUkV4October 14, 2022
In testing, the RTX 4090 trumps the RTX 3090 in almost every algorithm with almost doubled performance — which isn't that shocking, even if that still represents a higher performance improvement than we see in the RTX 4090's graphics performance. This is likely the result of Nvidia still investing a lot of its graphics chip design development to increase its performance on the data-center side. The RTX 4090 shone across the several attack types provided in the HashCat software: dictionary attacks, combinator attacks, mask attacks, rule-based attacks, and brute force attacks.
The researchers estimate that a purpose-built password hashing rig (pairing eight RTX 4090 GPUs) could crack an eight-character password in 48 minutes. According to Statista and from 2017 data, 8-character passwords are the most common among leaked passwords, commanding a 32% share of them. This doesn't mean that they're the least safe; it just very likely means that it's the most common password character length. And they can now be taken out in under an hour by a "specialized" hashing rig.
Of course, that assumes that the password is as least eight characters long and that it follows the required conventions (at least one number and a special character included). When HashCat is driven to test the most commonly used passwords, however, it can bring a theoretical 48 minute cracking operation that attempted all 200 billion possible combinations down to the millisecond range. But then, that was to be expected: even a human would be extremely fast in cracking a password such as "123456" — apparently the most common password of 2021.
Another interesting element to note is that password cracking naturally has an associated cost; investing in a $1,600 RTX 4090 is costly, and each attempt at cracking a password will incur in power costs as well. So it's not just a matter of will. What the RTX 4090 does is bring down the cost to actually crack passwords — something that happens as long as more powerful GPUs come out while security algorithms remain relatively static. Jacob Egner has an extremely detailed and interesting analysis on his blogpost detailing his discoveries on the $/hash ratios.
Of course, another chip on cybersecurity's shoulder is the amount of data that needs to be encrypted against the inexorable development of quantum computing — computers that will render almost all currently-used encryption schemes pedestrian. Looking at the cost decreases in password-cracking just with GPUs, however, it seems that current security should be upgraded to newer, post-quantum algorithms sooner rather than later.
Relax — not every RTX 4090 owner will turn their top-tier graphics card towards a password-cracking pastime. Additionally, the password-cracking ease of tools such as HashCat are usually deployed against offline assets, not online ones. This means that the chances of your PC being the target of a deranged RTX 4090-owner cracking passwords at will are slim — so slim they're almost nonexistent.
Yet, in light of this, perhaps it's still a good idea to brush up on online security best practices, starting with storing lengthier passwords in one of the best password managers.
