Is a $30,000 GPU Good at Password Cracking?

The AI boom has flooded the market with multi‑million‑dollar GPUs and purpose‑built accelerators designed for training massive language models. As enterprises upgrade, a surplus of high‑end cards may sit idle, prompting security teams to wonder whether that raw compute can be redirected toward password cracking. In theory, any hardware that can generate hashes quickly could accelerate brute‑force attacks, but real‑world performance depends on architecture, memory bandwidth, and driver optimization. Understanding the true capability of these machines helps organizations assess residual risk when AI hardware is decommissioned or repurposed.

Specops used Hashcat to benchmark three top‑tier GPUs – Nvidia’s RTX 5090 consumer card, the Nvidia H200, and AMD’s MI300X – across five common hash types (MD5, NTLM, bcrypt, SHA‑256, SHA‑512). The RTX 5090 consistently posted the highest hashrates, reaching 219 GH/s on MD5 and 340 GH/s on NTLM, roughly double the speed of the H200. Even the MI300X, priced similarly to the H200, lagged behind the consumer GPU on every algorithm. When price‑to‑performance is factored, the $30,000 AI accelerators deliver less than one‑tenth the efficiency of a $3,000 RTX 5090, disproving the notion that premium AI hardware automatically excels at password cracking.

The practical takeaway for enterprises is that password strength, not GPU horsepower, determines breach risk. A 15‑character password hashed with SHA‑256 would require on the order of 10^20 years to crack even with the fastest consumer GPU, rendering brute‑force attacks infeasible. Conversely, short or reused passwords can be broken in hours, especially when attackers harvest credential dumps from data breaches. Organizations should enforce long, unique passwords, deploy multi‑factor authentication, and continuously monitor for compromised credentials. Early detection of leaked passwords enables rapid resets, neutralizing the advantage any high‑end GPU might provide to an adversary.