LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is a brute force attack, and why is GPU performance the key factor?

Try every possible password combination until one matches the hash. GPU speed determines whether a password falls in seconds or millennia.

The attack:

  1. Define charset (e.g. a-z = 26 chars)
  2. Try every combination of length 1, 2, 3, …
  3. For each: hash it, compare to target
  4. Eventually you'll find a match — the question is how long

Modern speeds (consumer GPU like RTX 4090):

Hash type Speed 8-char lower crack time
MD5 ~165 billion/sec < 1 minute
NTLM ~290 billion/sec < 30 seconds
SHA-256 ~22 billion/sec ~5 minutes
bcrypt ~200 thousand/sec ~3,000 years

Why the variance:

  • Fast hashes (MD5, NTLM, SHA-256) — designed for speed → terrible for password storage
  • Slow hashes (bcrypt, Argon2) — intentionally slow → 100ms each, billions/sec impossible

Why GPUs matter:

  • CPUs do ~10-50 million hashes/sec
  • GPUs do ~10,000× more (parallel cores)
  • Specialized rigs (8× GPU) do trillion+/sec
  • Cloud (AWS GPU instances) — anyone can rent the equivalent of an NSA cluster

The economic reality:

Renting a 100 GH/s cluster on AWS for an hour costs ~$10-50. So if a stolen database has $5+ of value per cracked password, brute force pays.

Defenses (in priority order):

  1. Use slow hashes for passwords (bcrypt, Argon2) — kills GPU advantage
  2. Salt everything — forces per-user crack
  3. Push users to length — every char ~70× more work
  4. Add MFA — hash crack alone isn't enough to log in

Calculator: https://www.hivesystems.com/blog/are-your-passwords-in-the-green — yearly updates on real GPU crack times.

Go deeper:

From Quiz: INTROL / Password Cracking | Updated: Jul 14, 2026