News Eight RTX 4090s Can Break Passwords in Under an Hour

[Admin]

Security researcher Sam Croley has shared the password-breaking prowess of Nvidia's latest graphics card, the RTX 4090: and it doubles performance compared to the RTX 3090. Your passwords can now be broken by wealthy gamers in a matter of days.

Eight RTX 4090s Can Break Passwords in Under an Hour : Read more

 

[ezst036]

Who needs Quantum computing?

 

[9cento]

So one RTX 4090 could break a password in 8 hours? I mean I can wait

 

[RichardtST]

Well, there are a few caveats.... If your password looks like random gibberish then the device would not even know that it had succeeded and cruise right by it. And most password-protected devices these days have timeouts and limited retries exactly to prevent machines from trying a bazillion in an instant. Sorry, three tries and you're locked out for 24 hours.

What it does do, however, is to create a big mess for crypto/security in general. It used to be a pain to crack a secure encrypted connection. Now it is not. Random password or no, I can rerun your packet streams with different keys as many times and as fast as I want.

You think you get privacy with your VPN? Lol! No.

 

[derekullo]

Was experimenting with John the Ripper and Hashcat just last month to see if I could crack zip and rar files that I made myself.
(Not the same as the NTLM cracking the article mentioned, but its what I had!)

Could never get hashcat to run so I focused more on John the Ripper.

Highly likely it was user error lol.

At least with John the Ripper which uses your CPU any password protected zip file with a password from 0-4 letters was cracked almost instantly, 5 letter password took about 2 minutes, 6 letter password was 4-5hours and 7 letters was multiple days. 8 letters was estimating something like 2 months, but I didn't let that test finish.

The CPU I was using was an i7-11370H Processor in an alienware laptop, 4 cores 8 threads, 4.8Ghz.

Definitely not the most capable CPU for the task, but it was what I had for testing and much closer to a middle ground than something like an i9-12900k

If we say an i7-11370H with John the Ripper could crack an 8 letter password in 2 months then doing some quick math 24hours x 30days x 2months = 1440 hours / 8 hours = 180

We can say that 180 of the i7-11370H = 1 Geforce 4090 which is highly impressive

I'd imagine 180 of the i7-11370H would cost more than a single $4090. (They would have to be less than $8 each along with the rest of the computer and complexity setting it all up!)

 

[derekullo]

Moral of the story is even for some one without a 4090 and just a run of the mill i7 any password length from 0 -7 is easily crackable and is therefore unsafe.

 

[derekullo]

Well, there are a few caveats.... If your password looks like random gibberish then the device would not even know that it had succeeded and cruise right by it. And most password-protected devices these days have timeouts and limited retries exactly to prevent machines from trying a bazillion in an instant. Sorry, three tries and you're locked out for 24 hours.

What it does do, however, is to create a big mess for crypto/security in general. It used to be a pain to crack a secure encrypted connection. Now it is not. Random password or no, I can rerun your packet streams with different keys as many times and as fast as I want.

You think you get privacy with your VPN? Lol! No.

I wanna say in the asci character set (the literal keyboard characters you can type) there are 96 possible characters (a-z,0-9,!?><, ....) and so for each letter you raise it by that same power 96^1 is ... 96 possible passwords, 2 letters would be 96^2 or 9216, by the time you get to 8 letters you would have 7,213,895,789,838,336 possible password combinations.

The program literally tries every possible combination of characters in a brute force attack.

For most of the password "tries" it gets the response of NOPE until eventually it cycles through all possible passwords and arrives on the correct one.

It is quite literally like having 2 billion physical keys and trying to open a lock ... youll know when it opens.

The big difference is you can't try 3 million keys in a second!

It makes no difference if the password is 12345 or 1}(@!

Of course having a 3 tries and you're done for 24 hours would stop any bruteforce attacks trying to hack a password for that, but for anything without a timeout you need an especially complex password.

 

[TJ Hooker]

Well, there are a few caveats.... If your password looks like random gibberish then the device would not even know that it had succeeded and cruise right by it. And most password-protected devices these days have timeouts and limited retries exactly to prevent machines from trying a bazillion in an instant. Sorry, three tries and you're locked out for 24 hours.

What it does do, however, is to create a big mess for crypto/security in general. It used to be a pain to crack a secure encrypted connection. Now it is not. Random password or no, I can rerun your packet streams with different keys as many times and as fast as I want.

You think you get privacy with your VPN? Lol! No.

Hashcat works by the user providing a list of password hashes, and Hashcat starts hashing potential passwords until it finds one that has a hash that matches one from the list. Whether the password is a dictionary word, a random string, whatever, has no impact on being able to detect a match.

And no, you can't break modern internet encryption (e.g. HTTPS, VPN, etc.) with Hashcat and some RTX 4090's.

 

[qayin]

Some misinformation in the artical and comments.

First, @derekullo, this article is about OFFLINE password cracking (which is what Hashcat is used for) so anything "online" (i.e "Of course having a 3 tries and you're done for 24") is unrelated.

Additionally, there is a HUGE difference is the password is 12345 or 1}(@!, as most of us cracked by difficulty, so even if we brute force, we always start short (password length> complexity), and when cracking NT hashes, attempting all options under 6 characters will take short second (-m1000 -a3 -i ?a?a?a?a?a?a)

Regarding the article, this is only a single hash algorithm, and one of the easiest to crack, out of many many many more. While this one is used by windows OS, (which cracking is usually unnecessary for if you have internal network access), most chances are our passwords for websites are stored in other, far more complex hashes (i.e not cracked in hours or days), at least for websites using modern software.

 

[derekullo]

Some misinformation in the artical and comments.

First, @derekullo, this article is about OFFLINE password cracking (which is what Hashcat is used for) so anything "online" (i.e "Of course having a 3 tries and you're done for 24") is unrelated.

Additionally, there is a HUGE difference is the password is 12345 or 1}(@!, as most of us cracked by difficulty, so even if we brute force, we always start short (password length> complexity), and when cracking NT hashes, attempting all options under 6 characters will take short second (-m1000 -a3 -i ?a?a?a?a?a?a)

Regarding the article, this is only a single hash algorithm, and one of the easiest to crack, out of many many many more. While this one is used by windows OS, (which cracking is usually unnecessary for if you have internal network access), most chances are our passwords for websites are stored in other, far more complex hashes (i.e not cracked in hours or days), at least for websites using modern software.

I was addressing RichardtST concerns mentioning timeouts.

I said many times i was testing with local/offline zip files I created for testing purposes.

A 5 letter password is highly insecure regardless if its 12345 or 1}(@! was the point I was making, gibberish or not the program does not care how elegant the password is.

12345 would be cracked nearly instantly due to it being a common password, with 1}(@! taking 2 minutes at most.

 

[derekullo]

In the past Tom's has been very strict regarding discussing password cracking and so I was being intentionally vague in order to not break any rules.

Very surprised they published this article to begin with.

 

[PlaneInTheSky]

Any non-retarded system doesn't allow you to spam millions of passwords.

 

[bavor]

Any non-retarded system doesn't allow you to spam millions of passwords.

That's not the method discussed in the article.

 

[USAFRet]

Any non-retarded system doesn't allow you to spam millions of passwords.

"Additionally, the password-cracking ease of tools such as HashCat are usually deployed against offline assets, not online ones. This means that the chances of your PC being the target of a deranged RTX 4090-owner cracking passwords at will are slim — so slim they're almost nonexistent. "

 

[Pyrostemplar]

Security researcher Sam Croley has shared the password-breaking prowess of Nvidia's latest graphics card, the RTX 4090: and it doubles performance compared to the RTX 3090. Your passwords can now be broken by wealthy gamers in a matter of days.

Eight RTX 4090s Can Break Passwords in Under an Hour : Read more

Taking into consideration the article content and the comments, I'd change the article headline to something like "Compared to a 3090Ti. the RTX4090 halves the time required to break a typical password encrypted file to about 8 hours"

 

[Blackink]

I wonder if it could crack this one:
peeehdouble$$doubleyouoharedee

 

[dimhue]

edit: This was addressed in more detail by derekullo above... I thought the front page comments had nested replies for some reason

Well, there are a few caveats.... If your password looks like random gibberish then the device would not even know that it had succeeded and cruise right by it. And most password-protected devices these days have timeouts and limited retries exactly to prevent machines from trying a bazillion in an instant. Sorry, three tries and you're locked out for 24 hours.

What it does do, however, is to create a big mess for crypto/security in general. It used to be a pain to crack a secure encrypted connection. Now it is not. Random password or no, I can rerun your packet streams with different keys as many times and as fast as I want.

You think you get privacy with your VPN? Lol! No.

That is not how this kind of password cracking works. Having beefy GPUs doesn't matter if you're trying against a rate-limited device or service. This assumes you know what the hashed value of the password is (say from a stolen database) and the hashing algorithm used, so you can hash offline as fast as your cracking hardware can handle. It doesn't matter if the password looks like gibberish, once you get a match you've gotten the (potentially salted) password*.

Also, this does not break encryption in general lmao. The 4090 is just an unsurprising incremental improvement in hashing speeds and decent encryption is still next to impossible to simply brute-force.

*Technically possible exception being a hash collision, but those are exceedingly unlikely

 

[derekullo]

edit: This was addressed in more detail by derekullo above... I thought the front page comments had nested replies for some reason



That is not how this kind of password cracking works. Having beefy GPUs doesn't matter if you're trying against a rate-limited device or service. This assumes you know what the hashed value of the password is (say from a stolen database) and the hashing algorithm used, so you can hash offline as fast as your cracking hardware can handle. It doesn't matter if the password looks like gibberish, once you get a match you've gotten the (potentially salted) password*.

Also, this does not break encryption in general lmao. The 4090 is just an unsurprising incremental improvement in hashing speeds and decent encryption is still next to impossible to simply brute-force.

*Technically possible exception being a hash collision, but those are exceedingly unlikely

I never spoke about cracking a rated limited password or "breaking encryption".

My experience is limited to cracking a .zip and .rar

Not sure who you are arguing with lol.

 

[dimhue]

I never spoke about cracking a rated limited password or "breaking encryption".

My experience is limited to cracking a .zip and .rar

Not sure who you are arguing with lol.

I quoted RichardtST and was replying to him. I just added the edit line at the top after I posted when I realized you already addressed his misconceptions.

 

[kato128]

I'm curious how they managed to get 8 cards to work together. SLI is dead and given the sheer size of the 4090 there's no way you'd find a mainboard big enough to run more than 2 in a single machine.

 

[Phyzzi]

I'm curious how they managed to get 8 cards to work together. SLI is dead and given the sheer size of the 4090 there's no way you'd find a mainboard big enough to run more than 2 in a single machine.

NV builds rigs that run 4 or 8 flagship GPU's in parallel for corporate compute and research customers who want something powerful but not an actual room sized computer, or you could probably just get mining rig hardware.

 

[Phyzzi]

Most of the leaked passwords are from low value and low security targets. I mean, not all, for sure, but if we are looking at forum passwords vs bank passwords, the patterns from the first may not translate to good assumptions about the second. And, Spaceballs aside, it makes sense that a lot of people required to make passwords for things they don't really care about being hacked would use something like 123456 for those passwords. In a convoluted way, this makes actual high security passwords more secure, because it means that 1) people are used to using better security measures than passwords where it matters, 2) bad actors have to sort through a lot of junk while good actors aren't putting all their eggs in one basket or using all their brainpower remembering 200 different passwords. We also should probably all start using a character with a tilde or umlaut in our rarely used but high security passwords too.

 

[derekullo]

A bit of background in SLI.

SLI ... scalable link interface only mattered for graphics because everything had to be done in real time with all processes happening in the correct order to get a frame made.

The "link' part being key in that it vastly increased the memory bandwidth between the 2 cards so as to make their memory homogeneous.

"In cases where two cards are not identical, the faster card – or the card with more memory - will run at the speed of the slower card or disable its additional memory " copy paste from sli wiki page

What this all means in a highly simplified way is because the workload is highly controlled we can give each GPU a different set of possible hashes to try split evenly between each GPU. (not sure if it actually splits evenly if you gave 2 cards of vastly different speeds, 1060 and 3080 for example)
One GPU doesn't need to know what the others are doing except if 1 GPU finds a match ... in which case stop processing and launch fireworks.exe

You would not want to use SLI with Hashcat.

View: https://www.reddit.com/r/HowToHack/comments/48kczj/sli_graphics_versus_non_sli_for_password_hash/


Lordpiggy says it better than me lol

 

[Rdslw]

Well, there are a few caveats.... If your password looks like random gibberish then the device would not even know that it had succeeded and cruise right by it. And most password-protected devices these days have timeouts and limited retries exactly to prevent machines from trying a bazillion in an instant. Sorry, three tries and you're locked out for 24 hours.

What it does do, however, is to create a big mess for crypto/security in general. It used to be a pain to crack a secure encrypted connection. Now it is not. Random password or no, I can rerun your packet streams with different keys as many times and as fast as I want.

You think you get privacy with your VPN? Lol! No.

truth is that most hackers don't need every password to crack, even 10% of them that goes easily is already a lot of material to work with. All those who worry, all you need is not to be weakest in the database, nobody will spend forever to crack your password, if you are not milionare.
Best thing you can do is have some kind of 2 factor, sms, mail whatever. As long as its there, even weak password is not an issue.
if password is only hope then do either:
long password (words&connectors method)
random noise (word with extra special char inside, but not e to 4 etc. like spe&cial )
Completely random 8-12 chars if you don't use password managers.
Avoid:
anything you post on online, connected emails will be checked for social accounts and any pet/kid/organizations names will be first on priority to check.

 

[palladin9479]

As above poster demonstrates, password length is far more important then complexity. The best version is a few random words with a set of numbers and special character thrown inside somewhere. Seems easy for us humans but the attack will haven no idea of the sequence used and therefor must rely entirely on brute force which is ineffective against that level of entropy.