top of page

RTX 4090: Unleashing the Power of Password Cracking

Hi everyone, Yaniv Hoffman here back with another blog.

Today, we have an exciting topic to discuss that will surely pique the interest of all you security professionals out there. We're diving deep into the world of password cracking with none other than the mighty RTX4090!"


In recent years, the capabilities of hackers in cracking passwords have been significantly enhanced by the availability of high-performance GPUs (Graphics Processing Units). This development has escalated the vulnerability of passwords, necessitating a closer look at the issue and potential solutions.

While initiatives like World Password Day have aimed to promote good password practices, the risks associated with weak passwords have grown exponentially. Hackers have honed their skills to such an extent that an astonishing amount of stolen logins—over 15 billion from more than 100,000 breaches—are now readily available on the Dark Web. These stolen credentials are responsible for a staggering 61% of all data breaches.

The tools employed by hackers to crack passwords have become increasingly sophisticated, with the introduction of high-performance GPUs serving as a new weapon in their arsenal. These GPUs possess immense computational power, enabling them to decipher even eight-digit passwords in a matter of milliseconds.

The NVidia GeForce RTX 4090: A Monster of password cracking

The newly released RTX 4090 graphics card by NVidia has garnered significant attention due to its exceptional performance, efficiency, and AI-powered graphics capabilities. However, it also possesses a disconcerting ability—it can crack passwords with remarkable speed and efficiency.

Tests conducted against Microsoft's New Technology LAN Manager (NTLM) authentication protocol have demonstrated the impressive password-cracking capabilities of the RTX 4090. It achieved speeds of 300 billion hashes per second (GH/sec) and 200 thousand NTLM password hashes per second (kh/sec). These results indicate that the RTX 4090 can crack passwords twice as fast as its predecessor, the RTX 3090.

Perhaps the most alarming revelation is that a machine equipped with eight RTX 4090 GPUs could exhaustively cycle through all 200 billion eight-character password combinations using brute force methods in a mere 48 minutes. This highlights the vulnerability of average eight-character passwords, which could be compromised in significantly less time. For example, a simplistic password like "12345678" could be cracked in a matter of milliseconds.

The implication is that for approximately $1,600, one can acquire the necessary hardware to engage in the password-cracking business, which ultimately translates into hacking. This is particularly concerning because much of today's IT infrastructure relies solely on passwords for protection. If a threat actor manages to crack the password of a privileged account, they gain unauthorized access, enabling them to cause havoc and compromise valuable data.

Cyber Security Experts opinion:

In a notable demonstration by password cracker and security researcher Sam Croley, the RTX 4090 GPU's impressive power was showcased through benchmark tests. These benchmarks shattered the previous records set by the RTX 3090 and exhibited a fourfold increase in performance across various examined algorithms. The passwords that were cracked during the tests adhered to security best practices and consisted of a combination of random letters and numbers.

Croley shared the results of the tests on Twitter, revealing that the formidable RTX 4090 GPU was pitted against Microsoft's well-known NTLM authentication system and the Bcrypt password-hashing feature. To conduct these experiments in benchmark mode, Hashcat v6.2.6, a widely recognized and extensively utilized password-cracking program, was employed. System administrators, cybersecurity experts, and even hackers commonly employ Hashcat to test or deduce user passwords.

In October 2022 he shared the benchmark results on twitter as;

Based on the test results, a password hashing machine equipped with eight RTX 4090 GPUs could perform all 200 billion iterations of an eight-character password in just 48 minutes. This achievement surpasses the previous record set by the RTX 3090 by 2.5 times. It's important to note that these benchmark tests were conducted using commercially available GPU hardware and associated software.

The Hashcat program, used in the tests, provides various attack methods that can aid in password recovery or, unfortunately, grant unauthorized access to other individuals' accounts, depending on the user's intent. These attack methods include dictionary attacks, combinator attacks, mask attacks, rule-based assaults, and brute force attacks. While the benchmark results may appear alarming, it is crucial to understand that the practical use cases for this technique are limited. Many attacks facilitated by tools like Hashcat and other password-cracking technologies exploit predictable human behaviors that often result in inadequate security practices.

The intention behind highlighting these benchmarks is not to instill fear, but rather to raise awareness about the vulnerabilities associated with weak passwords and the need for robust security measures. It reinforces the importance of adopting best practices such as using complex and unique passwords, implementing multi-factor authentication, and staying informed about evolving security threats. By understanding the risks and taking proactive steps, individuals and organizations can significantly enhance their defenses against password-cracking attacks.

Indeed, the increasing password-cracking capabilities facilitated by high-performance GPUs present a concerning trend that security researchers will need to address in the future. However, it is essential to note that it is not an immediate security emergency. Several factors mitigate the immediate impact.

Firstly, achieving the rapid password-cracking rates mentioned would require multiple RTX 4090 cards, which adds significant cost and complexity. Secondly, the benchmark tests primarily focused on eight-character passwords. Many websites and services enforce password requirements that go beyond eight characters, and each additional character exponentially increases the complexity of cracking.

Furthermore, the practical use of NVidia’s latest GPUs for password cracking is not readily accessible to everyone. The limited availability of these cards, coupled with their high price point, currently starting at $1,600, creates significant barriers for potential attackers. Versions of the RTX 4090 from manufacturers like Asus and Gigabyte can even reach higher prices.

Top of Form

Why Password are more vulnerable today:

Microsoft's 2022 Digital Defense Report highlights the alarming vulnerability of passwords today and how they contribute to account compromises. The report paints a troubling picture of the current state of password security.

The statistics presented in the report are indeed concerning:

  • Password-based attacks occur at a staggering rate of nearly 1,000 per second, showing a significant 74% increase compared to the previous year.

  • Shockingly, close to 90% of hacked accounts do not have the added protection of multi-factor authentication (MFA), indicating a persistently low adoption rate of this crucial security measure.

  • Notably, 100% of human-operated ransomware attacks involved stolen credentials, obtained through methods such as password cracking, malware-based theft, or purchased from the dark web.

  • In a sample size of over 39 million Internet of Things (IoT) and Operational Technology (OT) devices, an alarming 20% of them relied on identical usernames and passwords for security, exacerbating the risks of unauthorized access.

  • Additionally, 27% of scanned firmware images revealed accounts with passwords that still utilized weak authentication algorithms, indicating the presence of inadequate security measures.

These statistics serve as a wake-up call regarding the vulnerability of passwords and the urgent need to prioritize stronger security practices. The prevalence of password-based attacks and the lack of widespread adoption of multi-factor authentication demonstrate the criticality of improving password hygiene and implementing additional layers of security to safeguard accounts and sensitive data.

Tips to keep your password safe:

The annual password statistics for 2022 reveal some disheartening trends in password usage. Surprisingly, "password" remains the fourth most common password choice among users. While there might be some minor victories, such as "123456789" being harder to crack than "12345678" due to its nine digits, it is unfortunate that the most popular password still consists of only six digits.

It is evident that there is a pressing need for a wake-up call regarding password usage. The conventional wisdom of an 8-character password, which was once considered secure, is no longer effective against the processing power accessible to the average person. With off-the-shelf high-performance GPUs available, even the most complex 8-character password can be cracked in less than an hour.

To address this issue, Microsoft recommends implementing stronger password requirements, including:

  1. Passwords should be a minimum of 12 characters long.

  2. Passwords should consist of a combination of uppercase and lowercase letters, numbers, and symbols.

  3. Avoid using any word found in the dictionary, as well as the names of people, places, products, or organizations.

  4. Ensure that each new password is distinct from previous passwords.

  5. If there is suspicion that a password may have been compromised, it is crucial to change it immediately.

The final words:

The introduction of new and powerful weapons throughout history has necessitated constant adaptation of military strategies by leaders. Regrettably, historical evidence suggests that these leaders often lagged behind in modifying their tactics to effectively counter the evolving threat. We cannot afford to repeat this mistake when it comes to the passwords safeguarding our online accounts and digital assets. It is crucial to acknowledge the significant power that modern GPUs possess and promptly adapt appropriate cybersecurity strategies to mitigate their capabilities.

The increasing computational power of high-performance GPUs, as showcased by recent advancements, underscores the urgency for proactive measures. We must recognize the potential risks associated with password cracking and take immediate action to strengthen our cybersecurity defenses. It is imperative that individuals, organizations, and security professionals stay abreast of emerging technologies and threats and adapt their strategies accordingly.

Rather than relying solely on traditional password-based security, it is crucial to implement multifaceted approaches such as multi-factor authentication, robust encryption, and continuous monitoring. Recognizing the potential impact of powerful GPUs, cybersecurity strategies must evolve to address this new reality and stay one step ahead of malicious actors.

By acknowledging the power of these advanced technologies and adopting proactive cybersecurity measures, we can better protect our online accounts, digital assets, and sensitive information. It is essential to learn from history and ensure that our defensive strategies keep pace with the ever-evolving landscape of cyber threats.


bottom of page