Security & Infrastructure Tools
Is a $30,000 GPU Good at Password Cracking?
A $30,000 AI‑accelerator like Nvidia’s H200 or AMD’s MI300X is surprisingly ineffective at password cracking compared to a consumer GPU such as the RTX 5090. Benchmarks with Hashcat show that the RTX 5090 hashes passwords up to twice as fast as the AI GPUs across all tested algorithms (MD5, NTLM, bcrypt, SHA‑256, SHA‑512). Despite its ten‑fold higher price, the AI hardware offers no performance advantage for brute‑force attacks. This highlights that attackers already have sufficient computing power with readily available consumer GPUs, and that protecting passwords through length, complexity, MFA, and continuous breach monitoring is far more critical than relying on expensive GPU upgrades. Specops provides tools like Password Policy to enforce strong passwords and detect compromised credentials, reinforcing the need for multi‑factor authentication and robust security practices.
Is a $30,000 GPU good at password cracking?
Compute power is growing at an extraordinary pace. The AI surge has driven massive investment in GPUs and specialized accelerators, with vendors building increasingly powerful hardware to train large language models. For cybersecurity professionals, that raises a practical question: if the AI hype slows and this hardware ends up idle, could it be repurposed for password cracking? And if so, does that imply passwords are on the verge of obsolescence?
To explore this, researchers compared two flagship AI accelerators—the Nvidia H200 and the AMD MI300X—with Nvidia’s top consumer GPU, the RTX 5090. The goal was straightforward: does a $30,000 AI GPU actually have an edge when the task is cracking passwords?
Setting up the test involved building on prior work that examined how long it takes attackers to brute-force hashed passwords across different hashing algorithms. In separate explorations of MD5, bcrypt, and SHA-256, researchers measured how quickly each algorithm could be cracked using the same hardware. Hashcat, a widely used password recovery tool, provides benchmarking capabilities that reveal how fast different hardware can generate password hashes. The faster a system can generate hashes, the more quickly it can test candidate passwords until the correct one is found.
Five common hashing algorithms were chosen for the benchmark because they cover a spectrum from older, fast hashes that are relatively easy to brute force to modern, more cryptographically robust options. The algorithms tested were MD5, NTLM, bcrypt, SHA-256, and SHA-512. These are representative of what you might encounter in an organization’s Active Directory environment, spanning legacy and contemporary cryptographic approaches.
The results offer a stark reminder: password cracking is fundamentally a numbers game. Hash generation speed translates directly into how quickly guesses can be tested. Across the board, the RTX 5090 delivered higher hash rates than either of the AI accelerators. In several instances, the RTX 5090 produced hashes at nearly twice the speed of the H200 or MI300X. The price-to-performance takeaway is equally striking: an Nvidia H200 can cost at least ten times more than an RTX 5090, yet in raw hashing tasks the premium doesn’t translate into proportional performance gains.
A historical footnote provides added perspective. In 2017, IBM built a password-cracking rig using eight Nvidia GTX 1080s, the flagship consumer GPU of that era. That rig achieved an NTLM cracking rate of 334 GH/s. In other words, a nine-year-old consumer GPU setup delivered comparable or even superior performance to today’s top-tier AI accelerators for this specific workload. When you factor in the cost, the newer, far more expensive boards don’t necessarily buy proportionate speed gains for password cracking.
So, is a $30,000 GPU good at password cracking? The direct answer from the benchmarks is no. For the tested workloads, the consumer RTX 5090 outstripped both AI-focused accelerators in raw hash generation speed, and its price settings deliver a much better performance-per-dollar outcome for this particular use case.
Beyond raw speed, the broader security implications matter a lot. Password cracking isn’t constrained by exotic hardware; capable attackers already have access to substantial computing resources to brute-force weak passwords. In our SHA-256 tests, a password composed of numbers, upper and lower-case letters, and symbols could be cracked in roughly 21 hours on the tested hardware. That demonstrates why strong password practices remain critical in defending enterprise systems.
Length matters just as much as composition. A 15-character password that uses a mix of character types and is hashed with SHA-256 would take astronomically long to crack—on the order of hundreds of billions of years—making brute-force attacks impractical. Of course, real-world risk isn’t only about how long it would take to crack a single password in isolation. Credentials that have already appeared in data breaches pose a different kind of threat, especially if users reuse the same password across personal devices, websites, or applications with weaker protections. When attackers can link exposed credentials to individuals, they can attempt those same passwords against corporate accounts, often with success.
This is where the real risk to organizations arises: compromised credentials can be used to pivot into systems if the same passwords are reused. The sheer scale of compromised-password data—tens of billions of unique passwords in breach databases—means that even strong, high-entropy passwords aren’t a guaranteed shield if they’ve been exposed elsewhere. Early detection of breached credentials can be a crucial line of defense, allowing security teams to reset accounts and block attackers before those passwords are leveraged to gain access.
In the broader defense landscape, the takeaway remains consistent: do not rely on passwords as the sole safeguard. Multi-factor authentication adds a vital layer of protection that remains effective even if a password is compromised. The goal is to layer defenses so that even if one line of defense is breached, others still stand between the attacker and sensitive resources.
The comparison between AI accelerators and consumer-grade GPUs in password cracking highlights an important nuance: high-end, expensive hardware does not automatically translate into superior capability for every security-related task. For the specific challenge of rapid password generation and hash testing, consumer-class GPUs can be an efficient and cost-effective option, while the most expensive AI accelerators may not provide the expected edge. The clear contrast is that robust password security hinges not on brute horsepower alone but on a holistic approach that emphasizes password length, established best practices, continuous monitoring for breaches, and layered authentication strategies.
If you want to harden Active Directory against credential attacks, remember that strong password policies, regular audits, and breach monitoring are essential complements to any technical controls. The speed at which an attacker can hash and test guesses is real, but so are the defenses that slow down those attempts and block unauthorized access. In a landscape where attackers can exploit both weak passwords and compromised credentials, a defense-in-depth approach—one that reduces the risk of password reuse, enforces strong passphrases, and employs MFA—offers the most resilient protection.