Compute power is growing at an extraordinary pace. The AI surge has driven massive investment in GPUs and specialized ‘accelerators’, with vendors building increasingly powerful hardware to train large language models.

For cybersecurity professionals, that raises an interesting question. If the AI bubble cools and this hardware ends up sitting idle, could it be repurposed for password cracking? And if so, does that mean passwords are about to become obsolete?

To explore that scenario, we compared two flagship AI accelerators, the Nvidia H200 and AMD MI300X, with Nvidia’s top consumer GPU, the RTX 5090. The goal was simple: seeing whether a $30,000 AI GPU actually has an advantage when cracking passwords.

Setting up the test

The Specops research team has previously published work examining how long it takes attackers to brute-force hashed passwords. In separate tests of MD5, bcrypt and SHA-256, we measured how quickly each algorithm could be cracked using the same hardware.

To see how GPUs impact this process, we turned to Hashcat, one of the most widely used password recovery tools. Hashcat includes benchmarking capabilities that show how quickly different hardware can compute password hashes.

This matters because password cracking is ultimately a numbers game. The faster a system can generate hashes, the faster it can test password guesses until it finds the correct one.

For this comparison, we looked at Hashcat benchmark results for five commonly encountered hashing algorithms:

• MD5
• NTLM
• bcrypt
• SHA-256
• SHA-512

These cover the common algorithms found in an organization’s Active Directory, from older, fast hashes that are relatively easy to brute force, through to modern algorithms with far stronger cryptography.

That provides a realistic base for our three high-end GPUs to face. These products broadly occupy a similar performance tier in their respective markets, making them useful reference points for comparing enterprise AI hardware with consumer GPUs.

The GPU password cracking results

What is immediately clear is that across every algorithm tested, the RTX 5090 outperforms both AI accelerators in raw hash generation speed. Across multiple functions, the RTX 5090 hashes passwords at almost twice the speed of the H200.

The price to performance comparison is striking. A single H200 is at least ten times the price of an RTX 5090, so you might reasonably expect far greater performance from the AI accelerator in a one-to-one comparison. That simply isn’t the case.

Adding to this is that back in 2017, IBM built a password-cracking rig using eight Nvidia GTX 1080s, the flagship consumer GPU of the time.

That system achieved an NTLM hash cracking rate of 334 GH/s. In other words, a nine-year-old consumer GPU rig delivers similar, or better, performance in password cracking as today’s flagship AI accelerators.

So, when answering the question, ‘is a $30,000 GPU good at password cracking?’, the answer is clear: no.

The real risk to organizations

Password cracking doesn’t require exotic or specialized hardware. Professional crackers and attackers already have access to all the computing power they need to brute-force weak passwords. In our SHA-256 tests, a password using numbers, upper and lowercase letters, and symbols could be cracked in just 21 hours.

That’s why enforcing stronger passwords is essential, and the most effective defense is length. A 15-character password using the same mix of character types, hashed with SHA-256, would take around 167 billion years to crack, even with powerful GPU hardware. At that point, brute-forcing simply isn’t a realistic attack.

The bigger risk is passwords that have already been exposed in data breaches. This often happens through password reuse. You might require employees to create long, complex Active Directory passwords and store them securely.

But that protection disappears if the same password is reused on personal devices, websites, or applications with weaker security controls.

If attackers can link exposed credentials to a specific individual, it’s often straightforward to identify where they work and attempt the same password against corporate accounts. There is an entire underground market of initial access brokers who specialize in exactly this type of intrusion.

This highlights the importance of having tools that can detect compromised passwords within your organization. Identifying exposed credentials early allows security teams to reset accounts and block attackers before those passwords are used to gain access.

How Specops helps

Tools like Specops Password Policy help here in two crucial ways:

• Granular password policy management: Our solution allows security teams to implement fine-grained password policies well beyond those included in Active Directory. This includes support for passphrases, as well as readymade compliance templates to ensure your organization matches necessary standards. Dynamic feedback guides users to create strong passwords they remember but are difficult to crack.
• Continuous scanning for breached passwords: The Breached Password Protection feature continuously scans your Active Directory against a database of more than 5 billion unique compromised passwords. Customizable messages alert users if their password is compromised.

Ultimately, organizations shouldn’t rely on passwords as the only line of defense. Multi-factor authentication (MFA) provides an additional barrier that protects accounts even if a password is eventually recovered.

Specops Secure Access delivers that additional layer of security to Windows Logon, RDP and VPN connections.

If you’re interested in seeing how Specops can help harden your Active Directory against credential attacks, contact us today.

Sponsored and written by Specops Software.