GPU password cracking has become a stark reality check for enterprise security. New benchmarks from Specops show that consumer gaming GPUs demolish enterprise-grade AI accelerators when it comes to raw password-cracking speed, and the cost difference makes the security implications even worse.
Key Takeaways
- RTX 5090 gaming GPU outperforms Nvidia H200 and AMD MI300X across all tested hash algorithms
- H200 and MI300X cost at least 10 times more than RTX 5090 yet deliver slower cracking speeds
- 2017 eight-GPU rig with GTX 1080s matches modern AI accelerators on NTLM hashing performance
- 8-character passwords crack in minutes against standard hashes on high-end GPU rigs
- Attackers need only consumer hardware and leaked password databases to crack weak passwords rapidly
GPU Password Cracking Performance: A Stunning Reversal
The Specops research team benchmarked three GPUs using Hashcat across multiple hash algorithms: MD5, bcrypt, SHA-256, and NTLM. The results shattered conventional assumptions about enterprise hardware. The RTX 5090 outperformed both the Nvidia H200 and AMD MI300X in raw hash generation speed across every single algorithm tested. In fact, the RTX 5090 hashed passwords at nearly twice the speed of the H200, a chip designed specifically for datacenter workloads and priced around $30,000.
What makes this finding particularly damning is the price-to-performance ratio. The H200 and MI300X each cost at least 10 times more than the RTX 5090, yet neither delivers superior cracking capability. An attacker willing to spend $3,000 on a consumer GPU gains a massive speed advantage over someone deploying enterprise-grade hardware costing $30,000. This economic reality fundamentally changes how we should think about password security infrastructure.
The Historical Precedent: Old Hardware Still Competitive
The inefficiency of modern AI accelerators becomes even more apparent when compared to older consumer technology. Back in 2017, a custom rig built with eight Nvidia GTX 1080 gaming GPUs achieved 334 GH/s (gigahashes per second) on NTLM hashes. That eight-year-old setup matches or exceeds the performance of today’s latest H200 and MI300X accelerators. The GTX 1080 was the flagship consumer GPU of its era, yet it remains competitive with hardware marketed as the pinnacle of AI acceleration.
This historical comparison reveals a troubling trend: specialized AI hardware has not delivered the password-cracking advantages that enterprises might expect. The gap between marketing claims and real-world performance suggests that datacenter GPUs were designed for different workloads entirely—machine learning inference, tensor operations, and large-scale model serving—not the embarrassingly parallel task of hashing billions of password combinations per second.
Why Password Cracking Times Matter for Security
The actual crack times paint a sobering picture for weak password policies. A 15-character password using uppercase, lowercase, numbers, and symbols would take approximately 167 billion years to crack via brute force on modern GPUs. But most passwords are far weaker. An 8-character password using the same character set cracks in minutes on standard hash algorithms like MD5, and under an hour on stronger hashes, using the kind of hardware any attacker can purchase.
This speed advantage becomes exponentially worse when attackers combine GPU rigs with leaked password databases. Rather than pure brute force, they can target specific hashes from compromised corporate databases, making the attack far more efficient. The RTX 5090‘s superior hashing speed means fewer hours of computation needed to crack millions of weak passwords simultaneously.
What This Means for Enterprise Security
The Specops findings demolish the myth that expensive AI hardware is necessary for large-scale password attacks. Consumer GPUs deliver better performance at a fraction of the cost, making password cracking accessible to a far broader range of threat actors. Organizations that rely on weak hashing algorithms like MD5 or NTLM, or that enforce passwords shorter than 12 characters, are exposing themselves to attackers armed with readily available consumer hardware.
The real takeaway is not that the RTX 5090 is a password-cracking powerhouse—it is that modern AI accelerators are surprisingly inefficient at this particular task. Enterprises should not assume that their security assumptions hold up against commodity hardware. Password policies must account for the reality that any attacker with a few thousand dollars can crack millions of weak passwords in hours, not days or months.
Are AI GPUs worthless for password cracking?
No, but they are significantly less efficient than consumer gaming GPUs for this specific task. The H200 and MI300X excel at machine learning workloads and tensor operations, not the memory-bandwidth-intensive hashing operations required for password cracking. They were never designed as password-cracking tools, yet the Specops benchmarks expose the marketing disconnect between their cost and their performance on this particular metric.
How long does it take to crack an 8-character password?
On weak hashes like MD5, an 8-character password using letters, numbers, and symbols cracks in under one hour on high-end GPU rigs. On stronger algorithms, it takes longer, but still within minutes to hours depending on the hash function. This is why modern password policies require longer minimum lengths and stronger hashing algorithms like bcrypt or Argon2.
Can a 15-character password be cracked?
A 15-character password using uppercase, lowercase, numbers, and symbols would require approximately 167 billion years to crack via brute force on modern GPUs. This is why length remains one of the most effective defenses against password attacks—exponential growth in character space makes longer passwords exponentially harder to crack, even with powerful hardware.
The GPU password cracking benchmarks from Specops reveal a market failure: enterprises are spending tens of thousands of dollars on specialized hardware that underperforms consumer alternatives. The real lesson is not about hardware specs, but about the fundamental importance of password policy. Weak hashing, short passwords, and password reuse remain the primary attack vectors, and no amount of expensive hardware will fix those organizational failures. Security teams need to audit their password policies immediately and ensure they account for the reality that commodity GPUs can crack weak passwords in minutes, not months.
This article was written with AI assistance and editorially reviewed.
Source: Tom's Hardware
