Password-cracking With High-Performance GPUs: Is There a Way to Prevent It?

For years, hackers have used various password-cracking tools to infiltrate corporate networks, but the availability of high-performance GPUs has increased their capabilities multifold. Here’s a look at the password-cracking abilities of modern GPUs and what we can do about it.

World Password Day â€“ a valiant attempt initiated by the professional cybersecurity community to foster good password habits on the first Thursday of May every year since 2013, has come a long way to expose the risks of using weak passwords. But we need more than just one day dedicated to it. That’s because the law of unintended consequences has greatly accelerated the vulnerability of passwords dramatically.

Today’s hackers have become so adept and skilled at cracking passwords that there are over 15 billion stolen logins from over 100,000 breaches available on the Dark Web, and the use of these stolen credentials is responsible for 61% of all data breaches. Considering the tools hackers use to crack our passwords, there is an urgent need to adopt multi-factor authentication or use complex passwords that are difficult to break. Unfortunately, hackers have found a new weapon to bolster their arsenal â€“ high-performance GPUs that can crack open eight-digit passwords in milliseconds.

See More: Two Authentication Tools That Could Replace Passwords for Good

The Nvidia GeForce RTX 4090: The Monster Password Cracker

According to Nvidia’s websiteOpens a new window , the new RTX 4090 graphics card is the ultimate GeForce GPU as it is redefining expectations regarding performance, efficiency, and AI-powered graphics. With 24 GB of G6X memory at its disposal, it delivers the ultimate experience for gamers. Unfortunately, it does something else very well too. It cracks passwords with the same level of speed and efficiency.

In testsOpens a new window against Microsoft’s New Technology LAN Manager (NTLM) authentication protocol, the RTX 4090 recorded speeds of 300GH/sec and 200kh/sec. This allows it to crack passwords twice as fast as its predecessor, the RTX 3090. Perhaps the scariest assertion is that a machine running eight RTX 4090 GPUs could cycle through every one of the 200 billion eight-character password combinations in only 48 minutes using brute force methods. Of course, your average 8-character password would be compromised in less time. For instance, one of the trite passwords such as â€œ12345678â€ could be had in a matter of milliseconds.

In other words, for around $1,600, you can be in the password-cracking business, which then transcends into hacking. That’s because much of the asset landscape of today’s IT estates is protected by just a mere password. Crack the password of an elevated privilege account, and you’re in, wreaking havoc and compromising data. Today’s GPU cards are more than a great leap forward in gaming. They also serve as an investment for threat actors that know how to leverage this technology.

The vulnerability of passwords today

According to Microsoft’s 2022 Digital Defense ReportOpens a new window , password-based attacks are the primary method by which accounts are compromised. The report tells a frightening tale of how vulnerable passwords are today.

There are nearly 1,000 password-based attacks every second, a 74% increase over the year prior
Nearly 90% of hacked accounts are not protected by multi-factor authentication and the percentage of accounts protected by MFA continues to be low
100% of human operated ransomware attacks included stolen credentials that were either cracked, stolen using malware, or purchased from the dark web.
Of a sample size of more than 39 million IoT and OT devices, 20% of them were secured by usernames and passwords that were identical
Some 27% of scanned firmware images contained accounts with passwords that still utilized weak authentication algorithms.

Tips for keeping hack-proof passwords

If that weren’t enough, the annual password statisticsOpens a new window for 2022 show that â€œpasswordâ€ is the fourth most common password used today. If we want to recognize minor victories, there is some relief that â€œ123456789â€ does rank higher than â€œ12345678,â€ as nine digits are harder to crack than eight. Sadly the #1 password only uses six digits.

The truth is that the digital user population needs a wake-up call about using passwords. The 8-character rule that served us well a decade ago is now defunct, thanks to the amount of processing power your average person can afford and obtain. Today’s off-the-shelf high-performance GPUs enable the average person to crack even the most complex 8-character password in less than an hour. For this and other reasons, Microsoft recommends the following password requirements:

Passwords should be no less than 12 characters long.
All passwords should include a combination of uppercase and lowercase letters, numbers, and symbols.
Any word found in the dictionary should not be used as well as the name of any person, place, product, or organization.
Make sure that every new password differentiates itself from your previous passwords.
Change your password immediately if you suspect it may have been compromised.

See More: The Digital Identity System Is Broken: How You Can Fix It

Additional controls necessary

The simple truth regarding passwords is that longer is stronger. Unfortunately, a long password by itself isn’t safe or practical for many users. There is a direct correlation between the length and complexity of passwords and the number of calls to the help desk. People’s brains weren’t designed to remember long password strings.Â

That’s why you need supplementary controls today. Additional controls such as MFA, account lockouts and monitoring are now just as necessary as your password policy, if not even more so. Unfortunately, hackers are even targeting these controls. Welcome to the era of MFA fatigue. Yes, it’s a thing. Imagine a threat actor using a script to perform perpetual login attempts on your account. This creates a torrent of MFA requests for you to approve or disapprove. The goal is to either wear you down so that you approve one eventually just to stop the annoyance or have you accidentally click the approve button while answering the flurry of MFA requests. In some cases, a phishing email might be sent from the IT department requesting you to click approve.Â

That is why many security experts now discourage using SMS text-based messages for MFA. The preferred alternative today is an authenticator app that generates numerical codes that expire within a time window of seconds. It’s also good to enforce threshold limits on the number of times MFA requests, thus locking the account after the maximum number of MFA requests has been made.

Another effective tool is a password manager. These controls will automatically generate a unique password that is long and complex. It will then match up each account with the correct credentials on its own, thus preventing the user from using the same assortment of passwords repeatedly. The user needs only remember a single well-designed password to access the password manager.

Bottomline: It’s time to recognize the threat and prepare strategies for it

The introduction of new weapon technology throughout history forced military leaders to adapt new strategies to counter their deadly power constantly. Unfortunately, history often shows that the generals are often a war behind in modifying their tactics. We can’t afford to make that mistake regarding the passwords that protect our online accounts and digital assets. It’s time to recognize the power that these powerful GPUs now garner and adapt the right cybersecurity strategies to counter their capabilities.Â

Does your organization have a robust password policy for all employees? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

MORE ON PASSWORD-BASED SECURITY

Image Source: Shutterstock