One RTX4090 Cannot Crack a 8 Character Password in 48 minutes

Hey Fab,
I thought this might interest you just in the way your colleagues are reporting. So as a upcoming infosec warrior the news that the new Nvidia RTX 4090 was a password cracking beast caught my attention. Initially I only caught a video report overview and followed up with some fairly shallow googling all of which seemed to indicate the RTX 4090 could possibly crack a 8 character (alPHa numeric + symbol) password in 48 minutes. Now this could have also been my brain skipping the details or it could have been deeply hidden in the fine print.
When I finally decided to dig further (and calculate larger passwords) I discovered the truth. One 4090 can crack an 8 char password in 16 hours, 42 minutes comes from 8 running together (which would cost a mere $13,000 (not to mention power and if it is even possible to run these beasts of cards like this).

The news that the 4090 cracks passwords twice as fast as its predecessor is valuable. 16 hours for a 8 char password is a concern and could warrant a change in password policies. And it is worth mentioning that it would be possible to increase the speed and I am sure there would be at least one person that will try to create the 8 card monster (hopefully not burning their house down in the process).

However, the click baitty exaggeration likely made by an editor I can see went something like this article title

RTX 4090 can crack 8 character password in 16 hours

hang on a second you say it is theoretically possible to do this is 48 minutes

RTX 4090 can crack 8 character password in 48 minutes

Didn’t watch the video, does it mention how? I assume it to find the string that match known hash. For “asking the next question” - Was it salted/what kind of hash/what was the password limitation.
Because, always, there is a big but.


It is not salted iterative hash cracking
This is the bench the calculations are based on

First @hashcat benchmarks on the new @nvidia RTX 4090! Coming in at an insane >2x uplift over the 3090 for nearly every algorithm. Easily capable of setting records: 300GH/s NTLM and 200kh/s bcrypt w/ OC! Thanks to blazer for the run. Full benchmarks here:

— Chick3nman 🐔 (@Chick3nman512) October 14, 2022

hashcat is excellent software for both cpu and gpu use, and johntheripper does a great job distributing on a cluster. Definitely not in the interest of keeping my work easy, but with 256 bit encryption, you are going to want to look at increasing your password to 43 characters to maximize entropy. GRC's | Password Haystacks: How Well Hidden is Your Needle?   is a great place to see how easy it is to crack a password.