Nvidia's new RTX 4090 is a powerful password-cracking tool
Hackers using an array of the consumer-grade GPU could see brute force timings halve
Nvidia’s new RTX 4090 graphics card is powerful enough to break password-cracking records, according to benchmarks by a password recovery firm.
A password researcher expressed amazement at the benchmarks he published on Friday. The card clocks in “at an insane >2x uplift over the 3090 for nearly every algorithm," said Sam Croley, a researcher and password cracker who also works as a core developer at Hashcat.
CIO Priorities: 2020 vs 2023
Zero Trust, SaaS Security, and its impact on SD-WAN being a priority
In tests against Microsoft’s New Technology LAN Manager (NTLM) authentication protocol, used widely throughout enterprise networks to authenticate user identity, as well as the commonly-used password-hashing function Bcrypt, the GPU scored record speeds of 300GH/sec and 200kh/sec.
In another tweet, a hacker with the alias 'TinkerSec’ noted that with a rig fitted with eight RTX 4090 GPUs, a hacker could cycle through every combination (200 billion) of eight-character passwords in just 48 minutes using brute force methods.
This is far quicker than the two-and-a-half hours it would take to achieve the same results on the 3090, Nvidia’s previous flagship card, and would include passwords containing random upper cases, lower cases, symbols, and numbers.
The numbers are notable because although the RTX 4090 is expensive, at £1,699 per unit, it is still consumer-focused hardware and widely available from IT retailers. This may make the GPU a valuable investment for threat actors, now able to source more power for custom-built hacking systems through legitimate channels.
However, experts who spoke to IT Pro suggested there are still limitations to the real-world application of such attacks, even with powerful hardware to back them up.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"This kind of device is typically used for offline password cracking because online solutions would typically be resistant to such attack vectors," said Grant Wyatt, COO at MIRACL.
Given that the majority of passwords created by users are not random strings but tend to follow patterns of commonly-used words, hackers can in practice cycle through to the correct password much sooner. If an RTX 4090 was run through a list of only the top few hundred likeliest passwords for an account, it could do so in milliseconds.
The risk for this is especially high for passwords that are shared between employees and made easy to remember. Dictionary attacks work precisely this way, with a rig using a list of the most common passwords and words within passwords to speed up the brute force process.
"Technical developments such as these highlight the importance of good password hygiene," Harold Li, VP, ExpressVPN. "Because nothing is 100% unhackable and passwords are stolen all the time, consumers must take steps to protect themselves.
"Password managers help users generate a strong, unique password for every account, and store them all safely in an encrypted vault - while having other good cyber security practices like using 2FA, significantly reduces your risk.”
In order to keep passwords complex, whilst saving from having to remember complex strings of letters and numbers, many businesses opt to use password managers. These tend to store passwords of between 12 and 128 characters, which could take hackers months, years, or many millions of centuries to crack through a brute force alone.
IT Pro has approached Nvidia for comment.
Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.
In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.