The best graphics cards are great for gaming but can also help crack passwords. Hive Systems, a cybersecurity solution provider, has released the 2024 edition of its Hive Systems Password Table and some additional studies detailing how long it takes different Nvidia graphics cards to crack a password.
Unlike other studies where firms used AI to crack passwords, Hive Systems' approach is based on hashes. Hashing consists of scrambling the password into an enigmatic combination of letters and numbers. Servers store passwords in the form of hashes, so even if a hacker steals the database, they see the hashes, not the actual password. Hackers play around with different combinations of characters, hashing them and comparing them to stolen databases with password hashes to look for matches.
A computer is sufficient to perform hashing, but graphics cards, such as Nvidia's GeForce RTX 4090 or the A100, can accelerate the process substantially. Hive Systems utilized Hashcat, a hashing software, to benchmark the time required to crack different passwords. Unlike previous iterations of its research centered around MD5 hashing, Hive System included results with bcrypt, which is a more complicated password hashing algorithm to break than MD5.
With the first round of MD5 password hashes, Hive Systems used an example password with eight characters, following the NIST password guidelines. We'll concentrate on the more complex passwords with uppercase, lowercase, symbols, and numbers. The times are the best-case scenarios because non-randomly generated passwords are faster to crack.
A GeForce RTX 4090, Nvidia's current gaming flagship, can crack the password in under an hour. Meanwhile, eight A100s can achieve a similar feat in less than 20 minutes. Something like a ChatGPT, which has access to tens of thousands of A100 accelerators, can crack the password in one second.
With bcrypt, the hashing times soared. While the GeForce RTX 4090 only took 59 minutes to crack an MD5 hash, the same graphics card would need 99 years. The time increases from 20 minutes to 17 years, even on eight A100 accelerators. The only way sound way is to go down the ChatGPT route, but that implies you have a ton of cash to rent AI graphics card clusters to carry out your evil deeds.
While it may sound scary, there's no need to panic just yet. For starters, Hive Systems' research assumes that hackers have access to the hash, for example, from significant data breaches, such as the HaveIBeenPwned or LastPass. However, that's not always the case. The study also supposes that Multi-factor authentication (MFA) isn't active or has been bypassed on the attack. In this day and age, you should be using MFA for all your data-sensitive stuff. Even though MFA isn't foolproof because the attacker can likewise run a phishing attack on the victim, it adds a second layer of protection.
MD5 is over 30 years old, and many companies have moved on to more robust hashing algorithms, like bcrypt or pbkdf2. So, it's not just about having a strong password; security also depends on the other end. Even an eight-character NIST-compliant password can be challenging to crack if the service provider maintains good security practices and is up-to-date on the latest hashing algorithms.
