Quiz Entry - updated: 2026.07.14
What is a brute force attack, and why is GPU performance the key factor?
Try every possible password combination until one matches the hash. GPU speed determines whether a password falls in seconds or millennia.
The attack:
- Define charset (e.g.
a-z= 26 chars) - Try every combination of length 1, 2, 3, …
- For each: hash it, compare to target
- Eventually you'll find a match — the question is how long
Modern speeds (consumer GPU like RTX 4090):
| Hash type | Speed | 8-char lower crack time |
|---|---|---|
| MD5 | ~165 billion/sec | < 1 minute |
| NTLM | ~290 billion/sec | < 30 seconds |
| SHA-256 | ~22 billion/sec | ~5 minutes |
| bcrypt | ~200 thousand/sec | ~3,000 years |
Why the variance:
- Fast hashes (MD5, NTLM, SHA-256) — designed for speed → terrible for password storage
- Slow hashes (bcrypt, Argon2) — intentionally slow → 100ms each, billions/sec impossible
Why GPUs matter:
- CPUs do ~10-50 million hashes/sec
- GPUs do ~10,000× more (parallel cores)
- Specialized rigs (8× GPU) do trillion+/sec
- Cloud (AWS GPU instances) — anyone can rent the equivalent of an NSA cluster
The economic reality:
Renting a 100 GH/s cluster on AWS for an hour costs ~$10-50. So if a stolen database has $5+ of value per cracked password, brute force pays.
Defenses (in priority order):
- Use slow hashes for passwords (bcrypt, Argon2) — kills GPU advantage
- Salt everything — forces per-user crack
- Push users to length — every char ~70× more work
- Add MFA — hash crack alone isn't enough to log in
Calculator: https://www.hivesystems.com/blog/are-your-passwords-in-the-green — yearly updates on real GPU crack times.
Go deeper:
Brute-force attack (Wikipedia) — GPUs/FPGAs as accelerators and the exponential keyspace math.
Hive Systems password table — translates GPU hashrate into crack times by length/charset.