ZATAZ » The new NVIDIA 4090 card explodes passwords

A security researcher and password cracking expert has published benchmark tests that demonstrate the password cracking capabilities of the RTX 4090 graphics card.

Each new graphics card is entitled to its “crack pass” study. It’s up to the first researcher to release his study, and it’s Sam Croley, security researcher and password-hacking expert, who draws the first card. He explains that the password-hacking capabilities of the Nvidia RTX 4090 graphics card blows all the numbers.

NVIDIA’s new GPU broke previous RTX 3090 benchmark records and doubled performance on nearly every algorithm tested. The hacked passwords followed security best practices and included random letters, symbols, and numbers. Practices recently announced by the Commission Informatique et des Libertés françaises, the CNIL [lire plus bas].

mot de passe 2


Based on the test results, a fully-equipped password hashing machine with eight RTX 4090s (or $20,000 at today’s price of this writing) would have the computing power to perform 200 billion passwords. iterations of an eight-character password in 48 minutes.

The result is 2.5x faster than the previous record-breaking RTX 3090. Both tests were conducted using only standard GPU hardware and the software hashcat known to help recover a lost password. Crack allows dictionary attacks, combination attacks, “mask”, rule-based and brute force attacks.

CNIL recommendations on passwords: a solution to cyberattacks?

Faced with the multiplication of data leaks and cyberattacks, the CNIL published on October 17, 2022 a directive on the security of passwords for the attention of companies. The fraudulent introduction into information systems most often finds its origin in the accessibility of passwords, the robustness of which constitutes a major cyber-security issue.

The ZATAZ Monitoring Service has seen no less than 22 billion (yes, yes) login credentials since its inception.

If the recommendations of the CNIL are not mandatory, hacked companies can now be criticized for not having implemented within them a demanding protocol on the composition of the password.

Companies are therefore strongly encouraged to review their protocol in the light of this deliberation and to modify their IT charters in order to raise their security threshold.

Already on December 28, 2021, the CNIL had sanctioned a French telecom operator to the tune of 300,000 euros on the grounds that the transmission to its customers of a password which is neither temporary nor for single use and whose renewal is n is not imposed, makes it easily and immediately usable by a third party who would have access to the message which contains it, which induces a certain number of risks for the protection of personal data and for the privacy of individuals.

What password management policy is recommended?

The organization using password authentication must define a password management policy, of which the persons concerned are informed, as well as a regular review of its implementation.

Password creation and authentication

The CNIL identifies three cases of authentication by password associated with different levels of entropy, that is to say a degree of chance in the composition of the password to be respected.

password only

*Minimum of 12 characters (with uppercase, lowercase, number, special character)

*Minimum of 14 characters (with uppercase, lowercase, number)

Mechanism for restricting access to the account after several authentication failures (eg: timeout measures, blocking, limitation)

*Minimum of 8 characters including 3 of the 4 character categories (uppercase, lowercase, number, special character)

*Minimum of 16 digits

Material held by the person (smart cards, electronic certificate, etc.) with blocking device after 3 authentication failures

*Minimum of 4 decimal digits

Note that the CNIL no longer recommends using additional information (such as the name of the parents, the pet, etc.) to secure a password. Obvious, but it always gets better by writing it (which Zataz has been doing for 25 years!)

Storing and changing passwords

The password must never be stored in clear (it must first be transformed using a non-reversible and secure cryptographic function). It is recommended to no longer require users to change their passwords periodically, but only for administrative accounts.

What to do in the event of a password security breach?

The data controller must inform the data subject without delay and allow him to renew his password immediately. In case of suspicion of violation of his password, the data controller must require the person concerned to modify it, and recommend that he change his passwords on any other services where he could have used it.

We would love to say thanks to the writer of this short article for this incredible content

ZATAZ » The new NVIDIA 4090 card explodes passwords

Check out our social media profiles as well as other related pages