CUDA Cores and Why They Matter for Password Cracking

I have read a lot about the advancement in GPUs (graphics processing units) and how each year, they become more powerful and faster for password cracking. Numerous articles share this information and the speeds that newer GPUs can reach. What you do not often read about is how CUDA cores allow new GPUs to compute faster than ever. Many aspects of the GPU come into play with password cracking, such as memory bandwidth, memory size and clock speeds. I will focus on how an increase in CUDA cores can lead to faster password cracking.



What Exactly are CUDA Cores?

Compute Unified Device Architecture (CUDA) cores are proprietary NVIDIA technologies that serve as their parallel processing platform within GPUs. CUDA cores enable the GPU to perform faster calculations—making password cracking more efficient.



Why Should We Care About Them?

The number of CUDA cores and their speeds determine how fast they will process data. A single CUDA core can only process one thing at a time. GPU processing is similar to lanes in a checkout aisle at a local supermarket. If only a single lane is open (aka a single CUDA core) for a thousand customers, then it will take a long time for everyone to check out. Opening more lanes and processing the customers in parallel is the fastest way to achieve increased throughput. Similarly, as we add more CUDA cores to the GPU and process data points in parallel, we substantially increase throughput. This is because the work is divided among the CUDA cores—which produces faster, more efficient calculations. We should care about this because the more CUDA cores packed into a GPU, the faster the password cracking speed.


Advancements in NVIDIA GPUs and the number of CUDA cores that one GPU can hold have skyrocketed. The table below examines GPUs from each generation, including the NVIDIA GTX 1080 TI, RTX 2080 TI, RTX 3090 and the RTX 4090. The table shows the difference in the number of CUDA cores for each GPU generation and the calculation speed based on a data set of 100 million calculations.


CUDA Cores Slide 1_.jpg

Figure 1: GPU, Cores and Calculations


Looking at the data set above, there was an approximately 357% increase in the number of CUDA cores between 2017-2022. There was nearly a 77% decrease in the amount of data that each core needed to process. This means that the more CUDA cores present, the faster a password can be cracked.


What Does This Mean in Terms of Cracking a Password?

First, you can calculate how long it will take to crack an NTLM hash in Hashcat using a benchmark. The formula takes GH/s (gigahash per second) and multiplies that value by one billion (1 billion H/s = 1 GH/s). Then, one can divide that value by the number of combinations of an 8-character password (approximately 7.2 quadrillion) to get a number in seconds. That number can then be converted to days, hours and minutes. Below is a key that can help.


a = giga hash
b =1 billion H/s (hash rate per second)
n = number of combinations in a password
t = time in seconds it takes to crack a hash


(a × b)/ n=t


For one NVIDIA GTX 1080 TI at a speed of 64.316 GH/s (64,316 MH/s), it would take around 12.95 days to crack that 8-character password. For a single NVIDIA RTX 4090 (255 GH/s), it would take 7.8 hours. The significance here is that an 8-character password inclusive of upper case, lower case and special characters, as well as numbers, is too short. This is especially true if we use eight 4090s (2039.5 GH/s). That password complexity can be cracked in about 58.8 minutes.



Figure 2: Nvidia 1080 TI NTLM Hash Speed



Figure 3: Nvidia 4090 NTLM Hash Speed


Cuda Cores 2_.jpg

Figure 4: Calculations



The Takeaway

The bad news is that your 8-character password is extremely easy to crack if an attacker is using an NTLM hash, which a lot of corporate companies use for Windows Active Directory. What might be even worse is that each new generation of NVIDIA GPUs keeps upping the ante by adding significantly more CUDA cores. The good news is you can protect yourself by making a 12-character password with upper case, lower case and special characters, in addition to numbers. It would take approximately 74 centuries using eight 4090s to break that. Unless you live that long, I am confident that you are safe. Always remember that having good cybersecurity hygiene will help keep you and others protected.


Hashcat benchmarks

Remy Pearlstone
Application Security Consultant | Optiv
Remy Pearlstone is an Application Security Consultant in Optiv’s Threat Management community. As an Application Security Specialist, Pearlstone’s role is to deliver a variety of service offerings, including web application assessments, mobile application assessments, application programming interface (API) assessments, code reviews, and Application Security (AppSec) program development consulting services. Pearlstone is also a front-end web developer and is always looking at ways to build new tools for his team to make operating in the cybersecurity space more fluid.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit