Eight RTX 4090s Can Break Passwords in Under an Hour - Tom's

UsandThem

Elite Member
Super Moderator
May 4, 2000
16,069
7,364
146
https://www.tomshardware.com/news/eight-rtx-4090s-can-break-passwords-in-under-an-hour

Security researcher Sam Croley took to Twitter to share just how incredible Nvidia's new RTX 4090 really is... at cracking passwords. It turns out it's twice as fast as the previous leader, the RTX 3090, at breaking one of your passwords — even when faced off against Microsoft's New Technology LAN Manager (NTLM) authentication protocol and the Bcrypt password-hacking function.
The researchers estimate that a purpose-built password hashing rig (pairing eight RTX 4090 GPUs) could crack an eight-character password in 48 minutes.
Of course, that assumes that the password is as least eight characters long and that it follows the required conventions (at least one number and a special character included). When HashCat is driven to test the most commonly used passwords, however, it can bring a theoretical 48 minute cracking operation that attempted all 200 billion possible combinations down to the millisecond range.
Surely no hackers would dare buy eight whole RTX 4090 GPUs to do such a nefarious thing as break/collect/sell passwords though, so no worries there. ;)
 

RnR_au

Senior member
Jun 6, 2021
957
2,515
96
Does the Anandtech forums have 2 factor authentication? I haven't even checked...
 

Borealis7

Platinum Member
Oct 19, 2006
2,904
199
106
No need to panic.
I have done similar "password cracking" work like this with HashCat in the past. the "cracking" is a brute force method that is predicated on having access to the user database where the password's hash is stored (for many years the industry standard is to not store the actual passwords in databases, only their hash value and compare the hashing of the input to the hashed string).
They can't hack into your account if they don't have the hashed string. it's still interesting and BTW there is special purpose hardware that does exactly that in much less time...
 

amenx

Diamond Member
Dec 17, 2004
3,354
1,407
136
Surely no hackers would dare buy eight whole RTX 4090 GPUs to do such a nefarious thing as break/collect/sell passwords though, so no worries there. ;)
Not very reassuring. Or maybe you forgot the /s? :p
 

Dribble

Platinum Member
Aug 9, 2005
2,018
550
136
What I guess this means is any 8 character password will be cracked as the 4090's can brute force all the combinations, although you could slow it down by hashing more times. That said for most pw files (thousands of encripted passwords stolen from some site) you can be smart and look using all the standard words and replacements and will generally get a good % of them including those longer then 8 characters with something much slower then a 4090 in an hour.
 

mikeymikec

Lifer
May 19, 2011
15,798
6,031
136
I assume when they say NTLM they mean NTLMv2... they've got to, right? The latter was introduced in NT4.0 SP4... I wonder if it's set as the minimum allowable authentication scheme yet; I remember forcing it to be on at least Win2k.

It's pretty niche though, wanting to crack NTLM passwords? I would have thought the big money is in cracking whatever password hash format is the most commonly used on e-commerce sites these days? I guess cracking NTLM passwords is still handy if the attacker has found a way in to a corporate network and are at the point of trying to access the main company file shares. Chances are though that if an attacker has reached that stage, they've already gained the credentials of at least one employee, and finding an employee with a decent level of access who is dumb enough to fall for phishing tactics probably isn't too hard :D
 

Dribble

Platinum Member
Aug 9, 2005
2,018
550
136
I assume when they say NTLM they mean NTLMv2... they've got to, right? The latter was introduced in NT4.0 SP4... I wonder if it's set as the minimum allowable authentication scheme yet; I remember forcing it to be on at least Win2k.

It's pretty niche though, wanting to crack NTLM passwords? I would have thought the big money is in cracking whatever password hash format is the most commonly used on e-commerce sites these days? I guess cracking NTLM passwords is still handy if the attacker has found a way in to a corporate network and are at the point of trying to access the main company file shares. Chances are though that if an attacker has reached that stage, they've already gained the credentials of at least one employee, and finding an employee with a decent level of access who is dumb enough to fall for phishing tactics probably isn't too hard :D
The case here is they have already hacked the site and got the users encripted pw's out, so they have a list of x thousand encripted passwords. If they can decript some of those pw's then they can logon to the site as that user, get their credit card details, send emails in their name, etc.

So you have your file of pw's using some encription method (only makes a minor difference which one), and your box full of 4090's. With the 4090's you can try every variant of up to 8 character pw in 1 hour or so - i.e. the 4090's take an unencripted random 8 chars, encript it, test it against the list of encripted pw's it has, tick off any that match, switch the chars, and repeat until every combination has been tested. Hence any 8 characters or less pw will get broken, no matter what it is or what encription scheme is used or how clever the pw owner thinks they were with the choice of characters.

Obviously that's brute forcing - they will also run against a dictionary of words (which is not just the oxford english dictionary, it'll be words that have been repeatedly found in previously broken pw files) and have a set of rules. The rules are all the ones that users do like add a ! or some numbers to the end or replace e with 3, or whatever. Again these rules are generated by looking at what people have done in other cracked pw files. So before/after your 8 char crack they can run a rule based check and probably get most much longer pw's.

Hence the safest pw would be a very long completely random one, but really the only way we as humans can manage that is with a password program that generates and stores them for you - e.g lastpass. Only the problem there is what happens if your pw generator and storage program gets hacked - and yes lastpass was hacked last year.
 
  • Like
Reactions: guidryp and adamge

mikeymikec

Lifer
May 19, 2011
15,798
6,031
136
The case here is they have already hacked the site and got the users encripted pw's out, so they have a list of x thousand encripted passwords. If they can decript some of those pw's then they can logon to the site as that user, get their credit card details, send emails in their name, etc.
I'd be surprised if any e-commerce operator uses NTLM with regard to user-website authentication.
 

lopri

Elite Member
Jul 27, 2002
13,165
553
126
How do they circumvent the anti-hack lock, e.g. 5 max tries, etc?

or can they?
 

beginner99

Diamond Member
Jun 2, 2009
5,112
1,493
136
Does the Anandtech forums have 2 factor authentication? I haven't even checked...
like I care if someone steals this account. Just create a new one.

How do they circumvent the anti-hack lock, e.g. 5 max tries, etc?
or can they?
In cases like this the have access or stolen the entire user database so the limits don't apply.

No need to panic.
I have done similar "password cracking" work like this with HashCat in the past. the "cracking" is a brute force method that is predicated on having access to the user database where the password's hash is stored (for many years the industry standard is to not store the actual passwords in databases, only their hash value and compare the hashing of the input to the hashed string).
They can't hack into your account if they don't have the hashed string. it's still interesting and BTW there is special purpose hardware that does exactly that in much less time...
And that is why you must use a proper hash function made for hashing passwords plus you must also use a per user salt. the salt is just some random bits you add in front or at the end of the password before you hash it. this can (must be) stored in clear-text in the database. The purpose is to avoid rainbow tables, eg. precalculation of hashes so even "123456" takes at least some minor effort to crack.

A proper hash function intentionally uses a lot of memory and is intentionally slow. I had to change the hash function config for my GFs password manager because I set it to hard and her older ipad ran out of memory when unlocking the password manager (no joke). it matters a lot of you need 64 mb of RAM and 500 ms to hash. (important: it must be time-constant for each input). The RAM makes it hard to use a fpga/custom chip and the fixed time makes it simply too slow for brute-force.
 
  • Like
Reactions: Mopetar

tcsenter

Lifer
Sep 7, 2001
17,991
102
106
it's still interesting and BTW there is special purpose hardware that does exactly that in much less time...
I was going to ask about this very thing, whether there are specialty boards or blades using some custom ASIC processor (e.g. Cell BE/PowerXCell derivative?) that is ferocious at cryptographic/cracking and would be superior for the money (as well as complexity, power, thermal) to eight darn RTX 4090 GPUs?
 

Borealis7

Platinum Member
Oct 19, 2006
2,904
199
106
I was going to ask about this very thing, whether there are specialty boards or blades using some custom ASIC processor (e.g. Cell BE/PowerXCell derivative?) that is ferocious at cryptographic/cracking and would be superior for the money (as well as complexity, power, thermal) to eight darn RTX 4090 GPUs?
the one i used to work with had a 60W Board power (PCIe) and outperformed a single RTX3080 in that specific task.
 

DAPUNISHER

Super Moderator and Elite Member
Moderator
Aug 22, 2001
25,378
10,916
146
Ok who banned the super moderator?

I am now scared lurking these forums! :eek:
You're already a ghost; what can the living do to you? :D

For those of you that are curious, the Pink Floyd fan moved on to happier hunting grounds. The line through the username is not only for those that are banned. If you close your own account here, which is what happened, it has the same result.

To answer the obvious question -



I don't know for certain. However, he had expressed on multiple occasions that he was no longer interested in computer tech. And that the pandemic and all the misery it brought to the the hobby exacerbated those feelings. I surmise he felt it best to quit cold turkey.
 

Borealis7

Platinum Member
Oct 19, 2006
2,904
199
106
Using what IC/ASIC/CPU?
it was a "Von Nueman on steroids" PCIe board for in-memory compute with a proprietary ASIC and tons of SRAM (memory that can perform a simple calc op). kind of like a mining card, but for AI acceleration. we even considered opening a mining acceleration app team when BTC was at its peak. sadly, i no longer work there and my project was taken over by other people :cry:

the GSI Gemini APU
 
Last edited:

GunsMadeAmericaFree

Senior member
Jan 23, 2007
979
221
116
passwords should incorporate an additional 'pin' where the numbers are randomly rearranged each time, and you use the mouse to select them, with no keyboard input, in addition to the traditional password....
 

Leeea

Platinum Member
Apr 3, 2020
2,736
4,110
106
passwords should incorporate an additional 'pin' where the numbers are randomly rearranged each time, and you use the mouse to select them, with no keyboard input, in addition to the traditional password....
Just get a security token and be done with it... the kind that you push the button and it spits out a six digit code to type into a 3rd field. Code changes every time. There is also the virtual type that goes on a phone*. Both work well.

etrade, my 2 bit local bank, google, amazon, login.gov all support it.



*it doesn't need to be a phone you connect to the internet, and the code can be passed to another phone using QR codes. Just pop the sim out of an old phone or two and dedicate them.
 

ASK THE COMMUNITY