What felt strong yesterday can be cracked on a budget today. Researchers have noticed that access to powerful hardware on the market might increase attackers' capacity to crack passwords.
Bcrypt, the once-reliable algorithm to hash and protect passwords, is no longer immune to threats.
The AI boom has created a glut of high-performance graphics cards in the consumer market. This means the kind of hardware once limited to research labs or enterprise clusters is now available for rent by anyone, including cybercriminals.
Organizations often set up machines with multiple consumer-level GPUs, like the RTX 5090, for model training. When these GPUs aren’t in use, they can be rented out on platforms such as vast.ai, allowing others to run their own AI workloads.
This approach lets companies monetize otherwise idle hardware, even if it’s only a few dollars per hour, helping offset the cost of the equipment. On rental marketplaces, an 8-GPU setup with Nvidia’s RTX 5090s can be leased for just a few dollars an hour.
Powerful hardware helps to crack passwords
“Post the release of the RTX 50-series cards, the availability and affordability of high-performance computing hardware have further increased, evolving the discussion of what should be considered a strong password,” the report by cybersecurity firm Specops notes.
As part of their investigation of how the speed of password hashing increased with AI technologies, Specops researchers generated hashes of cost factors 10, 12, and 14 from a 750,000-entry sample of the infamous Rockyou password list.
After the data was generated, it, along with a copy of rockyou.txt, was transferred to a cloud instance of 8xRTX 5090 GPUs. Attacks were performed to produce an expected hashrate. The data is then used to generate the expected time to crack a given password via brute force.
Strong passwords might not be strong anymore
The study underscored that while password length and complexity still matter, the calculus has shifted. GPUs like the RTX 5090 are around 65% faster than the previous generation to tackle bcrypt.
This means that for brute-forcing bcrypt, attackers can offset higher cost factors that were intended to slow them down. In practical terms, this means previously “strong” passwords that were once safe from brute force attacks could now be within reach.
Specops researchers emphasize that brute force is just a baseline. To increase their odds, hackers often combine dictionary attacks, rule-based variations, and targeted wordlists based on leaked corporate data.
“It’s important to be mindful of how attacks are performed, and attempt to build well-founded password policies that reduce the risk of passwords being guessable via simple wordlist and rule attacks,” the team notes.
How to pick a strong password?
- Use passwords with a minimum length of 18 characters
- Multiple character classes are required, optimally: upper, lower, digits, and special characters
- Do not use words relevant to your organization or related to personal things that could be easily guessable.
- Use password generators to create strong passwords
- Check if any of your previous passwords have been breached and avoid reusing passwords.
Your email address will not be published. Required fields are markedmarked