One RTX4090 Cannot Crack a 8 Character Password in 48 minutes

Bazzawill · 12 November 2022 13:26

Hey Fab,
I thought this might interest you just in the way your colleagues are reporting. So as a upcoming infosec warrior the news that the new Nvidia RTX 4090 was a password cracking beast caught my attention. Initially I only caught a video report overview and followed up with some fairly shallow googling all of which seemed to indicate the RTX 4090 could possibly crack a 8 character (alPHa numeric + symbol) password in 48 minutes. Now this could have also been my brain skipping the details or it could have been deeply hidden in the fine print.
When I finally decided to dig further (and calculate larger passwords) I discovered the truth. One 4090 can crack an 8 char password in 16 hours, 42 minutes comes from 8 running together (which would cost a mere $13,000 (not to mention power and if it is even possible to run these beasts of cards like this).

The news that the 4090 cracks passwords twice as fast as its predecessor is valuable. 16 hours for a 8 char password is a concern and could warrant a change in password policies. And it is worth mentioning that it would be possible to increase the speed and I am sure there would be at least one person that will try to create the 8 card monster (hopefully not burning their house down in the process).

However, the click baitty exaggeration likely made by an editor I can see went something like this article title

RTX 4090 can crack 8 character password in 16 hours

hang on a second you say it is theoretically possible to do this is 48 minutes

RTX 4090 can crack 8 character password in 48 minutes

astralc · 14 November 2022 11:32

Didn’t watch the video, does it mention how? I assume it to find the string that match known hash. For “asking the next question” - Was it salted/what kind of hash/what was the password limitation.
Because, always, there is a big but.

BUT…

Bazzawill · 14 November 2022 22:20

It is not salted iterative hash cracking
This is the bench the calculations are based on

gist.github.com

https://gist.github.com/Chick3nman/32e662a5bb63bc4f51b847bb422222fd

RTX_4090_v6.2.6.Benchmark

NVIDIA Driver Version: 522.25        CUDA Version: 11.8

Credit: blazer
For benchmarking the card and allowing me to release the benchmarks here 

The hashcat installation used includes a change to the tuning ALIAS.hctune file to include the RTX 4090 as "ALIAS_nv_sm50_or_higher".
The "Kernel exec timeout" warning is cosmetic and does not affect the speed of any of the benchmarked modes.
Benchmark was run at stock clocks on an Asus Strix 4090.

This file has been truncated. show original

First @hashcat benchmarks on the new @nvidia RTX 4090! Coming in at an insane >2x uplift over the 3090 for nearly every algorithm. Easily capable of setting records: 300GH/s NTLM and 200kh/s bcrypt w/ OC! Thanks to blazer for the run. Full benchmarks here: https://t.co/Bftucib7P9 pic.twitter.com/KHV5yCUkV4
— Chick3nman 🐔 (@Chick3nman512) October 14, 2022

SteveB · 20 November 2022 01:49

hashcat is excellent software for both cpu and gpu use, and johntheripper does a great job distributing on a cluster. Definitely not in the interest of keeping my work easy, but with 256 bit encryption, you are going to want to look at increasing your password to 43 characters to maximize entropy. GRC's | Password Haystacks: How Well Hidden is Your Needle? is a great place to see how easy it is to crack a password.