Passwords in the IA era: consumption GPUs exceed data center accelerators in cracking

In recent years, the computation capacity has increased at a rapid speed: the explosion of artificial intelligence has pushed huge investments in GPUs and specific accelerators, and manufacturers compete to offer increasingly powerful chips to train giant language models. In the face of this growth, a legitimate question arises for security teams: if that wave of IA gets cold and those cards get underused, could the attackers reorient them to break passwords? And, if so, does that mean that passwords are doomed to disappear?

To address this hypothesis we made a practical comparison between two data center accelerators and a high-end consumption card: the Nvidia H200 and the AMD MI300X against a maximum-range consumption GPU (mentioned in the tests as RTX 5090). The test was simple: to measure the speed with which each card can calculate password hashes using Hashcat, the most widespread tool for password recovery and audit ( hashcat.net), and use this data as a proxy of its ability to test millions or billions of candidates per second.

Hashcat incorporates a Benchmark mode that allows to compare the raw performance of different devices in different hash algorithms. We choose algorithms that remain present in corporate environments: MD5 and NTLM as examples of old and fast functions, bcrypt as representative of functions designed to be expensive, and SHA-256 and SHA-512 as modern hash families that are still in many systems. The reasoning is simple: the effectiveness of a brute force attack depends on how many hashes the machine can generate and check per second.

The results were revealing. In all tests the consumer card exceeded the data center accelerators in hash generation speed. In practical terms, the consumption GPU marked higher hash rates - in some cases almost double - compared to H200 and MI300X. If the cost is also compared, the difference becomes even more striking: data center cards can cost a very high fraction more than a consumption GPU, without that resulting in a proportional advantage when breaking hashes.

This finding is not completely surprising if you consider how these processing families are designed: IA accelerators are optimized for floating point computs and specific batch sizes and memory model training, while mass hashing routines using tools such as Hashcat take advantage of types of operations and memory architectures that are in many cases better used by consumer GPUs. This architectural difference translates into the observed performance.

A historical data helps to put it into perspective: in 2017 IBM mounted a rig with eight Nvidia GTX 1080 - the GPU of the then point consumption - that achieved cracking rates in NTLM comparable to those that today reach much more expensive accelerators ( IBM article). This shows that exotic chips are not needed to get real capacity to break passwords: well-assembled consumption hardware remains very efficient for that task.

What does this mean for the defenses of an organization? First, the real threat is not necessarily the arrival of an IA accelerator at the hands of attackers, but the existence of weak passwords and the re-use of credentials. A brute force attack is, in the end, a volume problem: at higher hash speed per second, faster combinations are explored. In practical tests, short and predictable passwords remain recoverable in relatively short times with hardware available today.

For this reason, rather than fear a hypothetical mass reboot of cracking accelerators, it is necessary to focus on proven measures: to encourage length above apparent complexity and to adopt passphrases. Reference guides such as the NIST standard recommend prioritizing length and allowing password phrases that are memorable to users ( NIST SP 800-63B), because a 15-character password well chosen multiplies exponentially the time needed to break it up to impractical scales even with powerful hardware.

Another higher risk than pure brute force is that of credentials already exposed in previous gaps and the reuse of passwords. Reports such as Verizon Data Breach Investigations Report show that the stolen credentials are involved in a substantial fraction of intrusions. If an attacker links filtered credentials to a particular person, it is easy to try these same combinations against corporate systems; there are markets and actors specialized in selling and using such initial access.

In practice, this makes early detection and prevention of the use of compromised passwords as important as the longitude requirement. Tools that compare passwords in use with filtered credentials databases and force users to change if their password appears on those lists end up blocking very frequent and effective attack pathways.

Of course, passwords should not be the only barrier. The widespread adoption of multifactor authentication (MFA) dramatically reduces the impact of a compromised password, because it adds an additional factor that the attacker will not simply have to know the key. Implementation that extend MFA at remote start-up, RDP and VPN close vectors that continue to be exploited regularly.

For organizations seeking concrete solutions, there are products that address both password policy and protection against committed credentials and integration with access controls. An example is Password Policy Spacups, which allows you to impose rules more granularly than Active Directory rules and provide feedback to users to create robust passwords; your Filtered Password Protection module continuously compares accounts with large password repositories ( Speeches Password Policy). Complements like Spacups Secure Access add protective layers for remote access ( Spacups Secure Access).

In short, the practical lesson is double: on the one hand, the fear that expensive IA accelerators turn passwords into obsolete is, for now, exaggerated; the consumer hardware already offers the capacity that attackers need to exploit weak passwords. On the other hand, effective defense depends less on worrying why GPU could use an attacker and more of robust policies: long passwords or passphrases, detection of committed credentials and MFA deployment. These measures are the ones that really push the cost of an attack at levels where it will no longer be profitable.

If your organization still trusts old complexity rules or short passwords, the time to review the strategy is now: to strengthen the hygiene of credentials and add layers of verification is what will really make the accounts secure against the computational resources that are (and will be) available to the attackers.