News Nvidia RTX 5090 can crack an 8-digit passcode in just 3 hours

It can. A single 5090 can crack an 8 digit passcode (numbers only) in 3 hours. It shows it directly in the chart embedded in the article.
 
And this is why most places won't let you make a password that doesn't include a combination of upper case and lower case letters, numbers, and special characters.

But also most places also have at least basic SMS or email 2FA passcodes, and those that don't, like forums and other low security places, have Google or other sign in options which themselves are 2FA'd.

TH should do an article "Why you should have a 'junk' Google account" exactly for situations like that.
 
  • Like
Reactions: KyaraM and gg83
"The good news is that cracking hashes in the way Hive Systems demonstrates requires hackers to have a stolen database of password hashes in the first place. Without this, hackers can't brute-force hack password hashes." - Author

To broad. A measly Radeon 7900 XTX ramming thru about 100 million NTLM hashes per second could purely brute force [no dictionary or rainbow table(s), the latter being especially effective for NTLM (Windows) since passwords aren't salted and therefore can be precomputed] in about 25 days for an 8-character password with letters and numbers. Interestingly, bcrypt with a cost of 10 increases this number to about 17,000 years, demonstrating how much impact the different hashing algorithms have on password anti-cracking security.

Would have been nice to also show their table that shows longer passwords as this really drives the message home on the importance of longer passwords.

Don't want to give a false sense of security when possible. Hackers can and will use even more GPU's to speed up this process, such as distributed clusters of multi-GPU systems, and cracking tools exist that are able to utilize those (>12 GPU's). Yes, it's going to be cost-prohibitive outside of well-resourced attackers, though renting GPU compute is possible and might be done for targetted attacks where continuous or near-continuous 24/7/365 hashing isn't needed.
 
I'm absolutely in favor of enforcing long password with special characters when creating one.

But please for the love of god don't force me to use only specific special characters deemed worthy for whatever reason.
 
  • Like
Reactions: KyaraM
Those password limitations actually make them easier to crack, since many people go for the minimum length following the rules. You can eliminate a huge number of potential passwords if you can find out or try the basic password template rules first.

I believe the common wisdom is still to string together long dictionary words (making them easy to remember) and salting in the special characters and numerals required.
 
Those password limitations actually make them easier to crack, since many people go for the minimum length following the rules. You can eliminate a huge number of potential passwords if you can find out or try the basic password template rules first.

I believe the common wisdom is still to string together long dictionary words (making them easy to remember) and salting in the special characters and numerals required.
CrackhUg3w1sd0m$alT1ng
Like this? But won't the crackers know to replace letters with their special character equivalent? It surely slows them down, I suppose.
 
Here is quick and easy suggestion you can tell your friends and family to do for passwords.
Make the password a sentence:
I like cats and dogs a lot and I have #2 of them

Something easy for them to remember and easy to type out.
 
This article is AI generated slop.

An 8 digit password has at most 99999999 combinations. The GPU has nothing whatsoever to do with entering combinations to see if a website/file unlocks.

The ONLY and sole relevant factor is how fast you can enter numbers, which is down to the CPU not the GPU. Or if its a website, the speed of the connection and whether the website locks you out for a period of time after X number of attempts.

Utter AI slop.
 
It all depends how a hash of the password is calculated. It is trivial to make the hash function 10x harder to compute just by running 10 rounds of the current hashing scheme, whatever it is. All the numbers in the table will then become 10x bigger, with no extra requirement on the user to provide longer and more unwieldy passwords.

The ridiculous requirement of long passwords is a blatant cover tactic of corporations to protect themselves when, through their carelessness, the password hashes are stolen. The brute force attack above is only viable when the attacker has the hashes. Without that, even a 4 letter password is completely sufficient.
 
Here is quick and easy suggestion you can tell your friends and family to do for passwords.
Make the password a sentence:
I like cats and dogs a lot and I have #2 of them

Something easy for them to remember and easy to type out.
Used to do this all the time but now you have all the different sites that have slightly different rules. Very long strings of even all numbers would be impossible to break but they want all their special characters or no duplicate letters, no spaces, etc. You end up with so many rules you have to keep sheet of paper with all the different passwords written down on. People get frustrated and start to use a simple password and try to meet some arbitrary rules.
 
People should try mixing language passwords and not only upper and lower and symbols cases possibilities ... There are 155933 possibilities for each input if you use mixed language characters (as of unicode ver16).
 
Last edited:
"The good news is that cracking hashes in the way Hive Systems demonstrates requires hackers to have a stolen database of password hashes in the first place. Without this, hackers can't brute-force hack password hashes." - Author

To broad. A measly Radeon 7900 XTX ramming thru about 100 million NTLM hashes per second could purely brute force [no dictionary or rainbow table(s), the latter being especially effective for NTLM (Windows) since passwords aren't salted and therefore can be precomputed] in about 25 days for an 8-character password with letters and numbers. Interestingly, bcrypt with a cost of 10 increases this number to about 17,000 years, demonstrating how much impact the different hashing algorithms have on password anti-cracking security.

Would have been nice to also show their table that shows longer passwords as this really drives the message home on the importance of longer passwords.

Don't want to give a false sense of security when possible. Hackers can and will use even more GPU's to speed up this process, such as distributed clusters of multi-GPU systems, and cracking tools exist that are able to utilize those (>12 GPU's). Yes, it's going to be cost-prohibitive outside of well-resourced attackers, though renting GPU compute is possible and might be done for targetted attacks where continuous or near-continuous 24/7/365 hashing isn't needed.
Are the ones attempting to Crack a password able to get around the 3 failed attempts and your locked out? I don't know how it works. Does a program just keep trying different combinations?
 
Well, yeah, but isn't this part of the problem and everyone's current fear factor? With a bigger number cruncher you can chew up more numbers.... That's 1+2 ='s front end performance. But what about the back end when brute force compute power is so powerful that no password is safe? Are we not already there? With the advent of AI and quantum computing, the only way currently to "protect" a digital thing is to air gap it. If it's online, it's vulnerable.

I dunno about the rest of ya, but that concerns me greatly! Every Government already can and has already stolen everything about you and your neighbor regardless of country or zip code. Not if, but when the kid in your neighbors basement can do the same, then what? Again, are we not already there?
 
This article is AI generated slop.

An 8 digit password has at most 99999999 combinations. The GPU has nothing whatsoever to do with entering combinations to see if a website/file unlocks.

The ONLY and sole relevant factor is how fast you can enter numbers, which is down to the CPU not the GPU. Or if its a website, the speed of the connection and whether the website locks you out for a period of time after X number of attempts.

Utter AI slop.
This article is discussing the case where an attacker has obtained a list of hashed passwords (e.g. from a previous data breach). In order to crack those passwords, the attacker must guess a password, compute the hash of that password, and compare against the hashed password list. A GPU can be used to massively speed increase the rate at which hashing is performed.

You complain that the article is AI slop, but it doesn't seem like you actually read it.
 
"The good news is that cracking hashes in the way Hive Systems demonstrates requires hackers to have a stolen database of password hashes in the first place. Without this, hackers can't brute-force hack password hashes." - Author

To broad. A measly Radeon 7900 XTX ramming thru about 100 million NTLM hashes per second could purely brute force [no dictionary or rainbow table(s), the latter being especially effective for NTLM (Windows) since passwords aren't salted and therefore can be precomputed] in about 25 days for an 8-character password with letters and numbers. Interestingly, bcrypt with a cost of 10 increases this number to about 17,000 years, demonstrating how much impact the different hashing algorithms have on password anti-cracking security.
I'm not sure how your response relates to text from the article you quoted. If you're trying 100 million hashes per second, that's against an offline hash list that has already been obtained. There's no way your authentication server is responding to 100 million authentication requests a second.
 
Last edited:
Well, yeah, but isn't this part of the problem and everyone's current fear factor? With a bigger number cruncher you can chew up more numbers.... That's 1+2 ='s front end performance. But what about the back end when brute force compute power is so powerful that no password is safe? Are we not already there? With the advent of AI and quantum computing, the only way currently to "protect" a digital thing is to air gap it. If it's online, it's vulnerable.

I dunno about the rest of ya, but that concerns me greatly! Every Government already can and has already stolen everything about you and your neighbor regardless of country or zip code. Not if, but when the kid in your neighbors basement can do the same, then what? Again, are we not already there?
No, we're not there yet. It is still very feasible to create with passwords/keys that are effectively impossible to crack with technology available now or in the near future. The need for airgapping comes from the risk that a sufficiently motivated and funded attacker will eventually find a way that bypasses the password, particularly for high value targets.

Unless you choose weak passwords and/or reuse passwords, I wouldn't worry too much about your online login passwords getting cracked. In most cases, the human beings involved are the weak link in security, e.g. falling victim to phishing or other social engineering.
 
I feel the title is missleading/vague/clickbait: it looks like a single GPU can achieve the claimed activity...

Hi. Cybersecurity engineer here. Ill take that 2hrs and 45 minutes if it actually happens any day of the week. Lockbit ransomware just got some of their members passwords posted(See bleepingcomputer.com). They were mostly without special characters, some being all lowercase or just numbers. If some of those have admin level stuff, I just saved myself hrs of trying to bypass the passwords instead, meaning its that much less likely in an incident response situation that your private data is leaked, sold, and used fraudulently.