Eight RTX 4090s Can Break Passwords in Under an Hour

Interesting article.

We read:

" Security researcher Sam Croley took to Twitter to share just how incredible Nvidia’s new RTX 4090 really is… at cracking passwords. It turns out it’s twice as fast as the previous leader, the RTX 3090, at breaking one of your passwords — even when faced off against Microsoft’s New Technology LAN Manager (NTLM) authentication protocol and the Bcrypt password-hacking function."


“Of course, another chip on cybersecurity’s shoulder is the amount of data that needs to be encrypted against the inexorable development of quantum computingcomputers that will render almost all currently-used encryption schemes pedestrian. Looking at the cost decreases in password-cracking just with GPUs, however, it seems that current security should be upgraded to newer, post-quantum algorithms sooner rather than later.”

Says that thing has 24 GB of memory, so I’m not sure how effective Argon’s memory hardness is against an army of those. Probably barely feels any drag from an Argon memory parameter of 500 MB?

This is 2-year old news.

GPUs are fast, not because of their memory, but because the large number of processing cores working in parallel to speed up a task. The RTX 4090 has 16,384 cores. If the Argon2id algorithm requires 500 MB (0.5 GB) of memory, then 24 GB of memory only provides enough work space for 48 cores to be performing computations simultaneously (48×0.5 GB = 24 GB). So the computing capacity of the RTX 4090 has been reduced to 48/16385 = 0.3% of its maximum processing power. That’s a pretty significant reduction.

Besides, even using Bitwarden’s default KDF configuration (600,000 iterations of PBKDF2-SHA256), a single RTX 4090 can only test 15,000 password guesses per second. If you wanted to crack a 4-word passphrase in under an hour, you would need an “army” of 68 million RTX 4090 GPUs (an acquisition cost of over 100 billion dollars in hardware).