$5 per Hour for Hacking: What You Need to Know About the New Generation of Password Attacks and How to Protect Yourself
The AI boom has made hacking more accessible.
The AI boom has made hacking more accessible.
Researchers from Specops have updated their study on cracking passwords protected by the bcrypt algorithm. Two years ago, they published similar data, but since then, the hardware market has changed significantly: the AI boom and the growing demand for computing power have made top-tier graphics cards more accessible and cheaper than ever.
This isn't just about gaming. Modern GPUs are used for training large language models, and their idle time is often rented out on services like vast.ai. The same hardware can easily be used for another purpose—such as attacking hashed passwords.
For the new study, the team used a cluster with eight RTX 5090s—today, such cards have become the "reasonable minimum" for threat actors. Renting this powerful cloud hardware costs about $5 per hour, making such attacks quite affordable even for small groups. However, more serious configurations also exist—for example, hosts with 16 graphics cards.
Unlike previous tests, the researchers did not use the outdated bcrypt cost factor of 5, but instead took more reliable values of 10 and above. For testing, they generated 750 thousand hashes based on the known list of real passwords from RockYou. The higher the cost factor, the longer it takes not only to crack but also to generate the hashes: for instance, creating a database with a factor of 14 took almost five hours even on a powerful workstation.
The data obtained showed that the RTX 5090 is approximately 65% faster than its predecessor when working with bcrypt. However, increasing the complexity partially compensates for this performance gain. As a result, short and simple passwords like "123456" or "admin" are still easily cracked, while longer combinations—especially those over 12 characters—become practically invulnerable to brute-force attacks.
A table of cracking times shows that short passwords from simple character sets are guessed instantly—four- or five-character ones are cracked immediately, six-character ones with just digits or letters take minutes or hours. But if an eight-character password includes numbers, upper and lowercase letters, and special characters, the cracking time jumps to thousands of years. And starting from 12 characters with a full set of character classes, brute-forcing becomes practically impossible within any reasonable timeframe.
The researchers emphasize that hashing complexity alone is not enough. If a password has already been compromised and is in a leak database, no bcrypt will help. In this case, the protection is zero.
The conclusion of the study is simple: cracking has become more accessible due to increased hardware power, but protection still works if you use long and unique passwords. Entropy and length remain the main factors of security in a world where GPUs can be rented for $5 an hour.
