Sam Croley, the core developer for the Hashcat password tool (now in version 6.2.6) and security analyst out of Austin, TX, recently tested his password-cracking benchmarking tool to see how the new NVIDIA GeForce RTX 4090 GPU would be at discovering someone's secretive passwords and was able to receive a performance of greater than two times its predecessor, the RTX 3090 GPU.
Password hacking is improved to under sixty minutes on eight NVIDIA RTX 4090 GPUs, two times faster than the RTX 3090
User "ninja the hacker" asked Croley how long it takes to "brute force" an eight-character password, and the results were astonishing.
In Crowley's words on Twitter:
If we do the math for NTLM, 300GH/s is 300 Billion hashes per second, ?a is 95 characters, length 8 makes it a keyspace of 95^8, divide that by the speed and get 22111 seconds. Then convert from seconds and you get 368 minutes or 6.1 hours to complete the keyspace on 1x 4090 GPU.
— Chick3nman 🐔 (@Chick3nman512) October 14, 2022
So, for the standard eight-character password filled with numbers, capitalized and lowercase letters, and symbols combined, the estimated time for only one NVIDIA RTX 4090 GPU is 6.1 hours — much less combining several of the same models in a password-cracking rig. What is even crazier is that it can go up against authentication protocols, such as Microsoft's NTLM (New Technology LAN Manager) or the Bcrypt password-hashing function created by Niels Provos and David Mazières in 1999.
While the numbers are incredible, they also are frightening to think about the nefarious uses that someone could use to assist in hacking other users, businesses, and more. The cost to hack that fast is also hard to swallow. With the NVIDIA RTX 4090 selling at $1,600 each (estimated with tax), a rig to work at that speed would cost above $12,800, which does not include the amount of power required to pull off such a feat.
Another side note is that Hashcat is an offline password-hacking tool. It's perfect for server and system admins, along with cybersecurity specialists. This realization does not mean that you are still safe on the Internet. Google has implemented several cybersecurity measures, Apple, Microsoft, and more, as well as software security packages, to create solid and harder-to-crack passwords. Unfortunately, we live in a society where it is easier to use one password across several websites and devices, opening ourselves up for attacks at some point.
Also, more powerful systems developed over the last several years to usher in quantum computing are slowly opening themselves up to attacks on an astronomically high level. This will cause those development teams to consider even more stringent measures for the future of computing.
Are you still using the same password for the last five years? It might be time to update to a new password or even consider a password generator/storage tool to assist with keeping track across the web and more.