New graphics card could halve password cracking times
A password researcher has suggested that the new RTX 4090 graphics card from Nvidia could be powerful enough to set new records for password-cracking. Password researcher Sam Croley, a core developer at Hashcat, said last month that the RTX 4090 registers “at an insane >2x uplift over the 3090 for nearly every algorithm".
Tested against Microsoft’s widely-used New Technology LAN Manager (NTLM) authentication protocol and password-hashing tool Bcrypt, the RTX 4090 hit record speeds of 300GH/sec and 200kh/sec. According to another hacker, utilising eight RTX 4090 GPUs enabled them to cycle through all 200 billion combinations of eight-character passwords in only 48 minutes. Nvidia’s flagship predecessor, the 3090, could only achieve this in around two-and-a-half hours.
While the RTX 4090 retails at £1,699 per unit, it is consumer-focused and widely available, potentially making it a valuable investment for hackers and other threat actors, who will now be able to tap into greater power for custom-built password hacking systems.
It has been noted, however, that even with such powerful hardware, the real-world limitations of these kinds of attacks are limited. Speaking to ITPro, MIRACL COO Grant Wyatt said: "This kind of device is typically used for offline password cracking because online solutions would typically be resistant to such attack vectors.”
However, despite such limitations, an RTX 4090 could in theory cycle through the top few hundred most-likely passwords for a user account in milliseconds. Especially so as the majority of user-created passwords utilise commonly-used words, rather than random strings.
This risk would be especially pronounced with easy-to-remember passwords shared between employees, which are particularly vulnerable to dictionary attacks, in which rigs use a list of common passwords and variations for brute force attacks.
Harold LI, VP of consumer VPN provider ExpressVPN said: "Technical developments such as these highlight the importance of good password hygiene. Because nothing is 100% unhackable and passwords are stolen all the time, consumers must take steps to protect themselves.”
"Password managers help users generate a strong, unique password for every account, and store them all safely in an encrypted vault - while having other good cyber security practices like using 2FA, significantly reduces your risk.”
Businesses can keep passwords complex and avoid employees having to remember complex strings by using password managers, which can store passwords ranging from 12-128 characters, significantly extending the time it could take hackers to crack through using a brute force approach.