The Evolution of Compute Power and Its Impact on Password Cracking

In today’s technological landscape, the growth of compute power, especially in the realm of artificial intelligence (AI), is exponential. The AI boom has led to significant investments in GPUs and specialized ‘accelerators’ by vendors aiming to develop increasingly powerful hardware for training large language models.

For cybersecurity professionals, this rapid advancement raises an intriguing question: if the AI hype subsides and the high-performance hardware remains unused, could it be repurposed for password cracking? And if so, does this signify the impending obsolescence of passwords as a security measure?

To delve into this scenario, a comparison was made between two flagship AI accelerators – the Nvidia H200 and AMD MI300X – and Nvidia’s leading consumer GPU, the RTX 5090. The objective was simple: to determine whether a $30,000 AI GPU holds any advantage in password cracking.

Setting the Stage for Testing

Prior research conducted by the Specops team involved analyzing the time required for attackers to brute-force hashed passwords. Tests on MD5, bcrypt, and SHA-256 algorithms were conducted to assess the speed at which each algorithm could be cracked using the same hardware.

To evaluate the impact of GPUs on this process, Hashcat, a popular password recovery tool known for its benchmarking capabilities, was utilized. Hashcat’s benchmarks showcase the speed at which different hardware can compute password hashes.

It is crucial to understand that password cracking is essentially a numbers game. The swifter a system can generate hashes, the quicker it can test password guesses until the correct one is found.

For this comparison, the focus was on Hashcat benchmark results for five commonly encountered hashing algorithms:

• MD5
• NTLM
• bcrypt
• SHA-256
• SHA-512

These algorithms encompass the standard cryptographic methods found in an organization’s Active Directory, ranging from older, less secure hashes that are relatively easy to crack to modern algorithms with robust encryption.

This selection provided a realistic foundation for pitting three high-end GPUs against each other. These products occupy similar performance levels within their respective markets, making them suitable benchmarks for comparing enterprise AI hardware with consumer-grade GPUs.

Analysis of GPU Performance in Password Cracking

Upon analyzing the results, it becomes evident that across all tested algorithms, the RTX 5090 consistently outperforms both AI accelerators in terms of raw hash generation speed. In various functions, the RTX 5090 hashes passwords nearly twice as fast as the H200.

The comparison of price to performance is particularly striking. A single H200 costs at least ten times more than an RTX 5090, leading one to expect significantly greater performance from the AI accelerator in a head-to-head comparison. However, this expectation is not met.

Adding to this observation is the fact that back in 2017, IBM constructed a password-cracking setup using eight Nvidia GTX 1080s, the premier consumer GPU at that time.

This system achieved an NTLM hash cracking rate of 334 GH/s. Essentially, a consumer GPU rig from nine years ago delivers comparable, if not superior, performance in password cracking compared to today’s top-tier AI accelerators.

Therefore, in response to the question, ‘is a $30,000 GPU effective for password cracking?’, the answer is resoundingly negative.

The True Threat to Organizations

It is crucial to recognize that password cracking does not necessitate specialized or advanced hardware. Seasoned attackers and professional crackers already possess the computational power required to brute-force weak passwords. In the SHA-256 tests conducted, a password comprising numbers, uppercase and lowercase letters, and symbols could be cracked in a mere 21 hours.

Hence, reinforcing stronger passwords is imperative, with emphasis on length as the most effective defense. A 15-character password incorporating a mix of character types, hashed with SHA-256, would take roughly 167 billion years to crack, even with potent GPU hardware. At this point, brute-forcing ceases to be a viable attack strategy.

The primary risk lies in passwords that have been compromised in data breaches. This commonly occurs due to password reuse. While employees may be mandated to create complex Active Directory passwords and store them securely, this protection dissipates if the same password is reused across personal devices, websites, or applications with weaker security protocols.

If attackers manage to link exposed credentials to a specific individual, it becomes relatively straightforward to ascertain their workplace and attempt the identified password against corporate accounts. A niche market exists for initial access brokers specializing in such intrusions.

This underscores the importance of deploying tools capable of detecting compromised passwords within an organization. Early identification of exposed credentials enables security teams to reset accounts and thwart attackers before the compromised passwords are exploited.

How Specops Enhances Security

Specops Password Policy plays a pivotal role in bolstering security through two essential functions:

• Granular password policy management: This solution empowers security teams to implement detailed password policies that surpass the standard Active Directory configurations. It includes support for passphrases and offers preconfigured compliance templates to ensure organizational adherence to required standards. Dynamic feedback assists users in creating robust passwords that are both memorable and resistant to cracking.
• Continuous monitoring for breached passwords: The Breached Password Protection feature conducts ongoing scans of Active Directory against a database containing over 5 billion unique compromised passwords. Customizable alerts inform users if their password has been compromised.

Ultimately, organizations should not solely rely on passwords as their primary line of defense. Implementing multi-factor authentication (MFA) establishes an additional barrier that safeguards accounts even if a password is compromised.

Specops Secure Access offers an extra layer of security for Windows Logon, RDP, and VPN connections.

If you are interested in exploring how Specops can fortify your Active Directory against credential-based attacks, reach out to us today.

Presented and authored by Specops Software.