SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Realistic high end consumer gpu surrounded by digital numbers swirl
#
Breach Prevention
#
LLMs
#
AI

AI-powered consumer GPUs speed up password cracking with bcrypt

Wed, 17th Sep 2025
Author image
By Jed Nykolle Harme, Editor

New research has indicated that the growth of high-performance consumer hardware, driven by artificial intelligence and graphics development, is reducing the time required to crack passwords protected by the bcrypt hashing algorithm.

The Specops research team revisited their analysis from two years ago, focusing on how recent advances in consumer-grade computing hardware are influencing the security of hashed passwords. The update comes at a time when over 70 million compromised passwords have been added to the Specops Breached Password Protection service, sourced through honeypot networks and threat intelligence gathering.

Hardware boosts

The proliferation of consumer graphics cards, particularly Nvidia's latest 50-series and AMD's forthcoming UDNA architecture, has made high-powered computing more readily accessible and affordable. These advancements, largely accelerated by demand for AI training and large language models, have led to increased raw computational power being available outside enterprise environments.

According to Specops, "The focus on compute power for both consumers and enterprises whether for general purpose compute (GPGPU) or training LLMs has caused arguably all three major graphics vendors to focus more heavily on compute performance than they may have in the past. This shows in the performance of Nvidia's recent 50-series, as well as AMD's upcoming transition to the 'UDNA' architecture. We've investigated what this boom and renewed focus on compute means for the difficulty of cracking a leaked password hash, and the future security of passwords."

Researchers point out that organisations commonly use multiple consumer GPUs, such as the RTX 5090, for AI training workloads and then rent out unused capacity for password cracking or other high-compute tasks when not in use, sometimes at rates around USD $5 per hour. The set-up typically included platforms running 8 to 16 RTX 5090 GPUs per host, allowing attackers to tap into significant processing capabilities.

Methodology and findings

The research compared bcrypt password cracking speeds using modern GPU hardware, specifically 8xRTX 5090s, and tested password hashes of varying 'cost factors' - a setting that dictates the computational effort required to process a password. As the cost factor increases, so does resistance to brute force cracking, but the rise in hardware performance is counterbalancing these increases.

Hashes were generated from a sample of 750,000 entries taken from the rockyou.txt wordlist, at cost factors 10, 12, and 14. Generating higher cost-factor hashes took considerably longer, reflecting the increased processing demands. The resulting benchmarks provided hashrates used to estimate time-to-crack figures for various password length and complexity combinations.

"Short, non-complex passwords can still be cracked relatively quickly, highlighting the huge risks of allowing users to create weak (yet very common) passwords such as 'password', '123456', and 'admin'. However the high cost factor of bcrypt makes longer passwords extremely secure against brute force attacks thanks to its slow-working hashing algorithm. Once a combination of characters are used in passwords over 12 characters in length, the time to crack quickly becomes a near-impossible task for hackers. This shows the value of enforcing longer passwords."

The new data affirm that passwords with simple combinations, particularly those fewer than 8 characters, are still susceptible to nearly instant compromise. Conversely, passwords longer than 12 characters with mixed upper, lower, numeric, and symbol elements require timescales that are effectively prohibitive, even for powerful attackers. For instance, an 8-character password using numbers, upper- and lowercase letters, and symbols, is estimated to be crackable in about 2,449 years using brute force. At 12 characters, that timescale expands into hundreds of millions of years.

Brute force as a baseline

The research also highlights the utility of brute force calculations as a baseline for assessing password strength, even though attackers tend to use more targeted methods such as dictionary and rule-based attacks. The investigators note, "It's true that expecting an attacker to attempt to brute force a given dataset is unrealistic. Crackers will typically use a variety of attacks to attempt to crack a given set of hashes. This can range from dictionary attacks and rule-based attacks, to association attacks."

Specops advocates for layered password policies, arguing that requirements for length and complexity provide some defence, but using custom blocked dictionaries and breached password corpuses is also essential. They state, "As shown by the new cracking table, entropy is crucial, and length is an easy-to-remember source of password entropy."

Policy recommendations

Based on these findings, Specops recommends a minimum password length of 18 characters with requirements for multiple character classes, including upper, lower, digit, and special symbols. Implementing passphrases and blocking words directly related to the organisation, such as company or product names, are advised as further mitigations. "In order to protect against this kind of attack, there are a number of settings that can be configured within Specops Password Policy that will assist in making it more difficult to crack, should a bcrypt hash leak (whether from an internal system, or from a third party)."

Known compromised passwords

When it comes to passwords already found in breached datasets, the research finds that even long or complex combinations can be compromised instantly if the precise password is known to attackers. In the words of the researchers, "No amount of complex hashing algorithms is a replacement for good security hygiene and implementing strong password policies through Specops Password Policy, as well as using a breached corpus such as Specops Breached Password Protection to prevent re-use of passwords across accounts. It's now more important than ever to defend against infostealers leaking credentials."

The latest improvement to Specops Breached Password Protection incorporates more than 70 million additional compromised passwords, drawing from daily updates and intelligence across both public and dark web sources. Specops states that ongoing monitoring and real-time protection can help organisations counter these evolving threats and maintain more robust password security.

Related stories
SYTECH workshop sparks global interest in digital forensics
BT opens 2026 tech careers at flagship Salford hub
Record rise in digital squatting fuels phishing wave
Genetec report finds healthcare ramping up hybrid-cloud and AI security
Bitdefender warns OpenClaw AI skills rife with malware

Top stories

Why the all-AI social network looks more fad than legacy
Hexnode embeds upgraded Genie AI to run UEM actions
Safer Internet Day spotlights AI, trust & child safety
Finalists revealed for 2025 everywoman in Tech Awards
Ripjar appoints Matt Mills as Chief Executive Officer