NVIDIA's high-performance graphics board can crack complex passwords in a short time
Security company Hive Systems publishes a password table every year that shows how much password strength varies depending on the length and complexity of the password. In 2024, they also published the results of a study on how long it takes to crack a password on multiple graphics boards.
Are Your Passwords in the Green?
Nvidia's flagship gaming GPU can crack complex passwords in under an hour | Tom's Hardware
https://www.tomshardware.com/pc-components/gpus/nvidias-flagship-gaming-gpu-can-crack-complex-passwords-in-under-an-hour
If a user's password is stored as is in a database for an online service, there is a risk that the password will be seen by the service provider or leaked as is due to a data leak. To address this issue, a method is used in which a unique mathematical transformation is performed on the password, and a 'hash value' that is difficult to restore from the original character string is stored.
Hive Systems measures the speed of hash calculations using commonly used hash algorithms such as MD5 and bcrypt on a PC equipped with a high-performance GPU, and then calculates the longest time it takes to complete a brute force attack , which hashes all possible character combinations and finds one that matches the password hash.
In addition, the password length is set to eight characters, which is the minimum required by the National Institute of Standards and Technology (NIST) password creation guidelines, and the characters used are random.
Below is a table summarizing the decryption time for 8-character passwords hashed by MD5. From the left, 'numbers only,' 'lowercase only,' 'lowercase and uppercase,' 'numbers, lowercase and uppercase,' and 'numbers, uppercase, lowercase and symbols.' The GPUs used for decryption are RTX 2080, RTX 3090, RTX 4090, 8 A100, 12 A100, and 10,000 A100. According to this, with the RTX 4090, which is the top class of gaming GPU at the time of writing, it is possible to decrypt even the most complex passwords using 'numbers, uppercase, lowercase and symbols' in just under an hour.
Below is the case of an 8-character password hashed by bcrypt. bcrypt has a higher security strength than MD5, and if it is a combination of 'numbers, uppercase letters, lowercase letters, and symbols,' it will take 12 years to decrypt even an 8-character password using 12 A100s.
Hive Systems has also rented a GPU cluster for ChatGPT and mobilized 10,000 A100s to conduct testing, which makes it possible to decrypt the password at lightning speed. However, IT news site Tom's Hardware says that 'renting a large GPU cluster is quite expensive, so it is not very practical as a means of actually cracking a single password.'
The table below shows the results of decrypting a password hashed with bcrypt using 8 A100s, broken down by number of characters (columns) and type of password (rows). Naturally, the more characters there are, the longer it takes to decrypt. Even if the password is 'numeric only,' it will take three years to decrypt if it is 14 characters or more, and if it is 'numeric, uppercase, lowercase, and symbols,' it will take 1,000 years to decrypt if it is more than nine characters.
Related Posts:
