Hackers use GPUs to quickly crack passwords

A 7 character alphanumeric (i.e. composed only of letters and numbers) password can be cracked in less than 17 minutes! A 10 digit numeric password can be cracked...

64 3
64 3

This is a new development and one that is quite disturbing from a security stand point. First a little background….

A Graphics Processing Unit (GPU) is a computer specifically developed to perform graphics calculations. A modern computer graphics card from makers such as nVidia and ATI can contain an array of hundreds or even thousands of GPUs to perform the complicated calculations necessary to produce the stunning graphics we are now used to seeing in the latest 3D games. A GPU can however be used for more than just video games. In the last few years I’ve come to rely on them to perform the trillions of calculations needed for electromagnetic analyses of antennas and microwave devices. Other practical uses of GPUs include things like medical imaging, structural analysis, and oil and gas exploration. GPU technology is revolutionizing computing at a time when traditional CPU (Central Processing Unit) performance has stalled.

Of course, there are always side effects and unintended consequences of every new technology and the GPU is no exception. You will see in the article “GPU Password Cracking – Bruteforcing a Windows Password Using a Graphics Card“, that it is now possible to use a garden variety graphics card to quickly crack a password using brute force. The article shows how the program known as IGHASHGPU can be used to quickly crack even strong passwords. For example, a 7 character alphanumeric (i.e. composed only of letters and numbers) password can be cracked in less than 17 minutes! An 8 character alphanumeric password can be cracked in 18.5 hours while a 9 character one can be done only 48 days! Adding some special characters (i.e. $%^& etc.) to the string helps but a 7 character password is still toast in only 7 hours. The 8 character password with special character only takes 25 days. That’s not nearly enough to protect your bank account!

If you use passwords that are not random but composed of words, the search is even faster because the thief can use a dictionary attack. If you use only numbers things are even worse. A 10 digit numeric password can be cracked with the GPU in a matter of seconds! The scary part is that GPU technology is advancing very rapidly right now and the time required to attack passwords using brute force is only going to decrease.

I highly recommend using a password manager to create and remember the long random strings that are going to be required to stay safe going forward. As a general rule I now recommend using the longest password that can be accepted by whatever system you are using. Be sure to use all available characters types (i.e. letters, numbers, and special characters) that are accepted by the system. This approach is only practical if you can cut & paste the password from the password manager to the input fields. If you must actually type the password on the keyboard then you will want to use at least 14 characters up to as many as you can manage to blindly type without errors.

The GPU is not the only new technology that is going to force us to improve our security. Thieves are now using cloud computing to break encryption as well so its only going to get worse!

See Also:

Update February 23, 2012

I have added two other articles relevant to this discussion on GPUs that may be of interest:


In this article

Join the Conversation


  1. Mark Crowther (Test Hats)

    We heard about hash-cracking using GPUs a while ago while researching how Bitcoin mining was being done, Search YouTube to see some of the crazy rigs people have put together for that.

    In our Test Lab we have a purpose built rig with multiple high end video cards for the purpose of both generating and cracking passwords/hashes. Very entertaining geeky stuff.


    1. John Ross

      Thanks for the tip! I’m in the process of building a new machine now that will use both the FX5800 and the C2070 to smash numbers for antenna simulations. I’m only going with two cards now since the simulator software requires a license token that costs $5k for each additional card. I expect it will be fun box for other activities too!

  2. The 25 Worst Passwords - and some tips for choosing better ones - Security Beacon

    […] matter is that it’s getting harder to stop the bad guys every day. Cloud computing and cheap GPU based supercomputers are making possible brute force attacks that were unthinkable only a few years […]