- Twelve GPU RTX 5090 can decipher short (but complex) passwords in days
- The complexity and length of the password drastically increase the time necessary for brute force
- The cracking of the real world could be faster than the worst estimates of Hive Systems scenarios
The cybersecurity firm Hive Systems has published its last password cracking box by 2025, built around a simulated attack using 12 GPU NVIDIA RTX 5090.
The conclusion? If your password is short, simple and predictable, it will not last long. But if you are already using long and unique passwords with a combination of letters, numbers and symbols, there are few reasons to panic.
The RTX 5090 is the most powerful NVIDIA games GPU so far, but in Hive Systems tests, it folds like a password cracking machine.
More time is much better
A hash that represents a password of six characters made of tiny numbers and letters could take only 14 days to break using a gross force approach. However, add complexity and length, and the timeline grows rapidly. For example, an 18 characters password that uses lowercase letters, numbers, capital letters and symbols would take approximately 463 quintillones of years to break.
Hive’s investigation models a gross force attack scenario in the worst case, where the hacker has already stolen a HASH password database and is using strong hardware to guess the right hash. It does not reflect more common attacks such as phishing or password reuse, but highlights why short passwords remain a risk.
It is worth pointing, as PC player Notes: “Passwords could be discarded much faster than the numbers indicate here, since the software could stumble with the correct previous in the process.”
BCrypt, Hash algorithm hive used in its test, is commonly used to stir the passwords before storing them. Although it cannot be reversed directly, it can be guess generating hashes from millions or billions of possible combinations. That’s where Gpus stands out. Parallel processing makes them ideal for guessing passwords at scale.
Hive also analyzed what would happen if computer pirates had access to much more power, such as 20,000 GPU A100 NVIDIA used to train chatgpt-4. Even then, an 18 characters password would only take hundreds of years to break.
So what is the lesson here? Password length and variety of characters, especially symbols, still matter. And with the consumer GPUs that only become faster, it is a good time to use a password administrator and stop trusting anything less than 12 characters.
