Here's How Fast A GeForce RTX 4090 Can Crack Your Passwords

While some might say passwords are on the way out, especially with the advent of passkeys that are regarded as a better solution. However, the extinction of the password isn’t a reality yet. Passwords are still around and they're sometimes terribly not secure, especially if you use one of the top 200 worst passwords for any of your accounts. In any event, obviously, using a weak password makes it easier for hackers to crack your password and get access to your accounts with as little as an RTX 4090, which makes quick work of passwords.

When you enter a password into a website, it is usually not stored as you entered it in plaintext, or at least we hope that is the case. The best practice is running a repeatable one-way algorithm, called a hashing algorithm, on the password you entered along with some extra data called “salt,” which makes the password harder to brute-force guess. For example, if you entered “Password1!” into a website, that might get stored as the MD5 hash of “cfb668811347768410604c5e092774e7” if there was no salt or 675111e5854a5fa2f5a8c1d6528a30bb if we added “HotHardwareRocks:” to the front of it.


However, just because it is harder does not mean it is impossible; it just takes more time to run all possible combinations of characters that could be in a password through the algorithm. This is effectively what cracking is, and there are some ways to speed it up through targeted password guessing and whatnot, but that is the gist of how it works. In addition, while this cracking can be done on any computer, graphics cards are good at running complex math problems, which is precisely what hashing algorithms are. Thus, having powerful graphics cards at your disposal can speed up your cracking efforts, as shown by researchers in a release by Hive Systems.

Returning to the MD5 example, an eight-character password comprised of numbers, uppercase and lowercase letters, and symbols can be cracked by a lone NVIDIA GeForce RTX 4090 in 59 minutes. However, MD5 is not as prevalent as it once was, and it would appear organizations are moving towards bcrypt, another algorithm that is a bit more robust. This is indicated by the same password requirements but with a cracking time of 99 years.

Despite the apparent robustness of the algorithm, there is no way to know if a website is using the industry-best-practice hashing algorithm, if one at all, or even the right configuration for the algorithm. As such, you still need strong, lengthy passwords or, better yet, passphrases alongside using multi-factor authentication, which can add another layer of defense against heisty hackers' hijinx.