The RTX 5090, renowned for its leading gaming performance and prowess in rendering and artificial intelligence, has revealed a more concerning capability: its exceptional speed in cracking leaked passwords. Kaspersky’s recent study leveraged the RTX 5090 to test the resilience of 231 million unique passwords leaked from the dark web between 2023 and 2026. The findings are stark: with a single RTX 5090 unit attacking MD5 hashes, nearly half of these passwords can be compromised in less than a minute, posing a significant threat to many security systems.
What was once speculation about the NVIDIA model’s immense power has materialized into a concerning reality. When used for tasks beyond its intended design, this graphics card’s raw power exposes a critical security flaw, now brought to light by Kaspersky with substantial data and evidence.
Kaspersky Demonstrates RTX 5090’s Sub-Minute Password Cracking
The most alarming statistic is that a staggering 48% of the analyzed passwords were cracked in under 1 minute. The issue doesn’t end there. According to Kaspersky, 60% of the passwords could be deciphered in under 1 hour, 68% in under 24 hours, 74% in under 1 month, and 77% in under 1 year. Only 23% of these leaked passwords, when subjected to MD5 hashing, managed to withstand the attack for over a year in this test scenario.
The RTX 5090 represents a significant technical leap. In a previous study, the RTX 4090 achieved 164 gigahashes per second in brute-force MD5 attacks. The RTX 5090 escalates this to an impressive 220 gigahashes per second, a 34% increase in pure processing speed for this specific task. This translates to an astonishing 220 billion hashes calculated every second.
Kaspersky also drew a comparison between current data and that from 2024, using the RTX 4090 and RTX 5090 as benchmarks. Two years ago, 45% of passwords fell in under a minute, compared to the current 48%. The percentage cracked in under an hour rose from 59% to 60%, in under 24 hours from 67% to 68%, and in under a month from 73% to 74%. The percentage cracked within a year remained stable at 77%.
Global Security Compromised, Even Without Direct Hardware Purchase
A crucial, and perhaps more insidious, aspect is that attackers do not need to own an RTX 5090. Kaspersky highlights that GPU cloud computing power can be rented by the hour for mere cents or dollars, depending on the configuration and model, making robust security accessible at a negligible cost. Furthermore, the capacity to rent 10 or even 100 GPUs amplifies the threat. In the case of a large data breach, cracking numerous passwords doesn’t require starting from scratch for each one; every calculated hash can be cross-referenced against the entire compromised database.
The study also points to human error as a significant vulnerability. Over 53% of passwords end with one or more numbers, 17% begin with a number, 12% contain sequences that resemble years between 1950 and 2030, and 10% use years between 1990 and 2026. The common pattern of “easy word + number + symbol” remains prevalent.
Even incorporating symbols offers little protection. The ‘@’ symbol appears in 1 out of every 10 passwords, surpassing periods and exclamation marks. The sequence “1234” continues to be the most frequently used numerical pattern, and keyboard patterns like “qwerty” are found in 3% of passwords. In essence, the average user presents a significant security risk due to a lack of understanding regarding cybersecurity best practices and password creation criteria.
Kaspersky concludes with another critical, and dramatic, piece of information: 54% of passwords found in recent breaches had appeared previously. This aligns with an estimated average password lifespan of 3 to 5 years. Consequently, Kaspersky strongly recommends the use of password managers, the creation of random 16-to-20-character passwords, the adoption of 2FA via authentication apps (which are more secure than SMS), and the use of passkeys whenever possible. The RTX 5090 merely accelerates the inevitable with weak passwords; it is the user, surprisingly, who remains the most vulnerable point in common security for any website or system, effectively serving as “cannon fodder” for powerful hardware and AI.
