Security researchers demonstrate the password-cracking power of the RTX 4090


Why it matters: Security researcher and password cracker Sam Croley has published benchmarks that highlight the RTX 4090’s password cracker. Nvidia’s latest flagship GPU broke previous RTX 3090 benchmark records, doubling performance on nearly all algorithms tested. The cracked passwords followed security best practices and contained random letters, symbols, and numbers.

Corresponding Croley‘s tweet, the mammoth GPU was tested against Microsoft’s well-known New Technology LAN Manager (NTLM) authentication protocol and the Bcrypt password hacking function. All tests were performed with Hashcat v6.2.6 in benchmark mode. Hashcat is a well-known and widely used password cracking tool used by system administrators, cybersecurity professionals and cyber criminals to test or guess user passwords.

Based on the benchmark results, a fully loaded password hashing rig with eight RTX 4090 GPUs would have the processing power to iterate through all 200 billion iterations of an eight-digit password in 48 minutes. The result of less than an hour is 2.5 times faster than the previous record of the RTX 3090. Both benchmark measurements were carried out exclusively with off-the-shelf GPU hardware and associated software.

Hashcat software offers multiple attack types designed to facilitate password recovery assistance or, depending on the user, unauthorized access to someone else’s accounts. These attack types include dictionary attacks, combinator attacks, mask attacks, rule-based attacks, and brute force attacks.

Many of the attacks available in Hashcat and other password cracking tools can take advantage of predictable human behavior that often leads to poor security practices. For example, an attack might initially focus on known words, phrases, or patterns to minimize the time required to crack the user’s password. Using these types of lists and data in an attack can reduce the time it takes to crack a password from 48 minutes to just milliseconds.

While the benchmark results may sound ominous, it’s important to note that the approach may have only a limited number of real-world use cases. MIRACL Chief Operating Officer Grant Wyatt told that online security tools, practices and configurations tend to push these types of attacks to offline assets.

Photo credit: Hashcat logo from


About Author

Comments are closed.