Cryptomining’s off the cards, but it turns out the new Nvidia RTX 4090 is a dab hand at hacking and not just gaming. Stick eight of them in a password cracking rig—for a paltry $13K—and you can break an eight-character password in just 48 minutes.
The Ada Lovelace-based card keeps popping up with new metrics to prove just what an absolute beast of a GPU it’s got at its heart, and its showing in the HashCat benchmark highlights the cryptography chops of the AD102 core.
The performance was highlighted by security researcher, Sam Croley, who tweeted on Friday (via Tom’s Hardware) that there’s “an insane >2x uplift over the 3090 for nearly every algorithm.” In the same thread he also pointed out that it’s just over three times faster than AMD’s Radeon RX 6900 XT.
Crunching the numbers, other Twitter users have suggested that would mean a modest collection of RTX 4090 cards could go through every single possible password combination of a standard eight-character password—including upper- and lower-case letters, numbers, and symbols—in less than an hour.
That’s with the AD102 tested against Microsoft’s New Technology LAN Manager (NTLM) authentication protocol, which is something you’ll see in place in a whole lot of enterprise situations out there.
That’s massively cutting the cost of password decryption, which should have you right now looking at just how secure your pet-name passwords are looking right now. Though to be fair, in 2022, the most common two passwords are still 123456 and 123456789. So, for the vast majority of passwords you’re not going to need an expensive cracking rig to get through someone’s simple security.
Mother of Eris…With these benchmarks, using an 8 GPU rig, you could go through:every.single.possible.password.combination.of an 8 character password(even total random upper, lower, number, symbol) using NTLM hashing (Windows / Active Directory)in…48 minutes!!! https://t.co/nM85LqddclOctober 14, 2022
But if a single card was to be put up against a list of the top couple of hundred passwords in use right now it may just take a few seconds, maybe milliseconds, to crack most passwords. Though chances are you’re probably not going to want what’s ‘hidden’ behind such lax security measures.
Your next machine
The original report by ITPro should put your mind at ease, however, if you were at all concerned about rogue RTX 4090s ray tracing the hell out of Cyberpunk in the day and then cracking all your passwords by night.
“This kind of device is typically used for offline password cracking because online solutions would typically be resistant to such attack vectors,” Grant Wyatt, COO at MIRACL tells ITPro.
If you are worried, though, it does point out that if you’re using a good password manager, which stores passwords between 12 and 128 characters in length, then even this sort of brute force method would take a lot longer to get through.
Maybe months, maybe years, maybe centuries, or even longer.