GPU Password Cracking - Specops Analyzes Performance Limits
Low severity — routine development or informational update
Basically, a $30,000 GPU isn't better than cheaper ones for cracking passwords.
Specops reveals that a $30,000 GPU isn't superior for password cracking. In fact, consumer GPUs outperform them, highlighting the need for strong password policies.
What Happened
In a recent analysis by Specops Software, researchers explored whether high-end AI GPUs, specifically the Nvidia H200 and AMD MI300X, could outperform consumer GPUs like the Nvidia RTX 5090 in password cracking. Despite the hefty price tag of $30,000 for the AI GPUs, the results showed that they lagged behind the RTX 5090 in cracking speed across multiple hashing algorithms.
Setting Up the Test
The Specops team utilized Hashcat, a popular password recovery tool, to benchmark the performance of different GPUs against five common hashing algorithms: MD5, NTLM, bcrypt, SHA-256, and SHA-512. These algorithms represent a range of complexities, from older, easier-to-crack hashes to modern, more secure ones.
GPU Password Cracking Results
The results were striking. The RTX 5090 outperformed both AI accelerators in every category:
- MD5: RTX 5090 at 219.5 GH/s, H200 at 124.4 GH/s, MI300X at 164.1 GH/s
- NTLM: RTX 5090 at 340.1 GH/s, H200 at 218.2 GH/s, MI300X at 268.5 GH/s
- bcrypt: RTX 5090 at 304.8 kH/s, H200 at 375.3 kH/s, MI300X at 142.3 kH/s
- SHA-256: RTX 5090 at 27681.6 MH/s, H200 at 15092.3 MH/s, MI300X at 24673.6 MH/s
- SHA-512: RTX 5090 at 10014.2 MH/s, H200 at 5173.6 MH/s, MI300X at 8771.4 MH/s
The analysis revealed that the RTX 5090 not only surpassed the H200 but did so at a fraction of the cost, raising questions about the necessity of such expensive hardware for password cracking.
The Real Risk to Organizations
The findings highlight a critical concern: password cracking doesn't require exotic hardware. Attackers can easily access sufficient computing power to brute-force weak passwords. For instance, a password hashed with SHA-256 could be cracked in just 21 hours if it’s not complex enough.
The real danger lies in reused passwords from data breaches. If an attacker can link exposed credentials to an individual, they can attempt those passwords against corporate accounts, leading to potential breaches.
How Specops Helps
Specops offers tools to help organizations manage password security effectively:
- Granular Password Policy Management: Implement detailed password policies that exceed standard Active Directory settings, ensuring compliance and encouraging strong password creation.
- Continuous Scanning for Breached Passwords: Their solution scans Active Directory against a database of over 5 billion compromised passwords, alerting users to potential risks.
Organizations should not rely solely on passwords for security. Implementing multi-factor authentication (MFA) can provide an essential additional layer of protection against credential theft.
Conclusion
In conclusion, while the latest AI GPUs are impressive in their capabilities, they do not provide a significant advantage in password cracking compared to consumer GPUs. Organizations must focus on enforcing strong password policies and utilizing tools to detect compromised passwords to better protect against potential breaches.
🔍 How to Check If You're Affected
- 1.Implement strong password policies requiring complex passwords.
- 2.Use tools to monitor for compromised passwords within your organization.
- 3.Educate employees on the risks of password reuse across different platforms.
🔒 Pro insight: This analysis underscores the importance of robust password policies over reliance on expensive hardware for security.