Assessing the password cracking capabilities of high-end GPUs

At a glance:

• The increasing power of GPUs and AI accelerators raises questions about their potential use in password cracking.
• A comparison of the Nvidia H200, AMD MI300X, and Nvidia RTX 5090 GPUs shows that the RTX 5090 outperforms the AI accelerators in raw hash generation speed.
• The price to performance comparison is striking, with the RTX 5090 being significantly cheaper than the AI accelerators.

Introduction

The rapid growth of compute power, driven by the AI surge, has led to the development of increasingly powerful hardware. This raises an interesting question for cybersecurity professionals: can this hardware be repurposed for password cracking, and if so, does that mean passwords are about to become obsolete?

Background

To explore this scenario, the Specops research team compared two flagship AI accelerators, the Nvidia H200 and AMD MI300X, with Nvidia’s top consumer GPU, the RTX 5090. The goal was to see whether a $30,000 AI GPU actually has an advantage when cracking passwords.

Setting up the test

The team used Hashcat, one of the most widely used password recovery tools, to benchmark the performance of the three GPUs. They tested five commonly encountered hashing algorithms: MD5, NTLM, bcrypt, SHA-256, and SHA-512.

The GPU password cracking results

The results showed that the RTX 5090 outperforms both AI accelerators in raw hash generation speed. Across multiple functions, the RTX 5090 hashes passwords at almost twice the speed of the H200.

Price to performance comparison

The price to performance comparison is striking. A single H200 is at least ten times the price of an RTX 5090, so you might reasonably expect far greater performance from the AI accelerator in a one-to-one comparison. That simply isn’t the case.

The real risk to organizations

Password cracking doesn’t require exotic or specialized hardware. Professional crackers and attackers already have access to all the computing power they need to brute-force weak passwords. Enforcing stronger passwords is essential, and the most effective defense is length.

The importance of detecting compromised passwords

The bigger risk is passwords that have already been exposed in data breaches. This often happens through password reuse. Tools like Specops Password Policy can help detect compromised passwords within an organization, allowing security teams to reset accounts and block attackers before those passwords are used to gain access.

How Specops helps

Specops Password Policy helps in two crucial ways: granular password policy management and continuous scanning for breached passwords. The Breached Password Protection feature continuously scans the Active Directory against a database of more than 5 billion unique compromised passwords.

Conclusion

Ultimately, organizations shouldn’t rely on passwords as the only line of defense. Multi-factor authentication (MFA) provides an additional barrier that protects accounts even if a password is eventually recovered. Specops Secure Access delivers that additional layer of security to Windows Logon, RDP, and VPN connections.