On May 2nd, cybersecurity firm Hive Systems recently unveiled their research results on cracking passwords using NVIDIA GPU cards. It's quite impressive and a bit scary, to be honest.
Unlike other methods using AI to crack passwords, Hive Systems utilized hash cracking, which involves GPU brute force computing to crack hashes. They tested both MD5 and bcrypt encryption methods, with the latter being more complex and posing a higher level of difficulty to crack.
The tested GPUs range from gaming-grade RTX 2080, RTX 3090, RTX 4090 to professional accelerator card A100, including configurations with 8, 12, and 10,000 GPUs (ChatGPT).
For a pure numeric password encrypted with MD5, these GPUs can crack it instantly. If it only consists of lowercase letters, the A100 can handle it right away, while an RTX card would take a maximum of 6 seconds.
For a mix of uppercase and lowercase letters, along with numbers, it's a bit more secure, but still not a big challenge. Even an RTX 2080 can crack it within 2 hours.
As for the most complex combination of numbers, uppercase and lowercase letters, and symbols, an RTX 2080 and RTX 3090 would take 4 and 2 hours respectively, while an RTX 4090 can crack it in just 59 minutes.
The A100 makes it even easier, with 8 or 12 units working together taking just over ten minutes. For something on the scale of ChatGPT with thousands of units, it can be cracked in just 1 second.
Breaking bcrypt encryption is much more difficult, even a purely numerical password can only withstand 9 minutes against an RTX 4090.
For a combination of numbers and upper/lowercase letters, it would take tens to hundreds of years for a gaming graphics card, with an RTX 4090 requiring a staggering 38 years.
To be truly secure, a mix of numbers, upper/lowercase letters, and symbols is necessary. An RTX 2080 would need to run for up to 989 years, while an RTX 4090 would require continuous operation for 99 years!
Even with an A100, it would still take some effort. With 8 or 12 GPUs, it would take 17 years and 12 years respectively, and even with thousands of GPUs working together, it would still take 5 days.
However, there is no need to panic excessively. The premise of this research assumes obtaining the hash value of your password, which is not easy in itself. Moreover, it does not consider multi-factor authentication (MFA), and using multiple A100 GPUs is not something easily achievable.
Of course, it is crucial to ensure that personal passwords are not too simple, especially avoiding purely numerical ones. A combination of upper/lowercase letters and numbers is a more suitable choice.
