Do AI GPUs Make Password Cracking Faster? Testing Nvidia H200 and AMD MI300X

The technology world is currently obsessed with Artificial Intelligence (AI) compute. Demand for GPUs has surged, prices for memory and semiconductor capacity have risen, and manufacturers are racing to build increasingly powerful AI accelerators such as Nvidia’s H200 and AMD’s MI300X.

With so much computing power now dedicated to training large language models, it raises a natural question for cybersecurity professionals: what impact will AI GPUs have on password cracking? Does this massive leap in compute power make it dramatically faster to brute force password hashes?

At first glance the answer might seem obvious. If these accelerators can train models as large as ChatGPT, surely they could tear through password hashes at unprecedented speed. But the reality turns out to be more interesting, and somewhat counter-intuitive.

Testing AI accelerators with Hashcat

The Specops research team has previously published research on how long it takes attackers to brute force hashed passwords. In separate tests of MD5, bcrypt, and SHA-256, we measured how quickly each hashing algorithm could be cracked using the same hardware environment.

To understand the potential impact of GPUs on password cracking, we can look at benchmark results from Hashcat, one of the most widely used password recovery tools. Hashcat benchmarks provide a useful way to estimate how quickly hardware can generate hashes when attempting to recover the original password.

In simple terms, the faster a system can compute hashes, the faster it can test candidate passwords until the correct one is found.

For this comparison, we looked at benchmarks for two leading AI accelerators:

• Nvidia H200
• AMD MI300X

These systems are commonly used in large AI training clusters and represent the current generation of enterprise AI hardware. We also included the Nvidia RTX 5090, a flagship consumer graphics card that is typically used for gaming and content creation.

These products are generally considered to be in competition with each other and are directly comparable. We are not discussing Intel options here, as the company does not currently offer a directly comparable AI accelerator in this category.

Hashcat performance benchmarks: H200 vs. MI300X vs. RTX 5090

Looking at the table, the limitation of AI hardware becomes immediately obvious. In almost every category, especially the common NTLM and MD5 hashes, the “gaming” card (RTX 5090) significantly outperforms the enterprise AI accelerators that cost ten times as much.

Why AI accelerators struggle with password cracking

So, how does a $30,000+ AI chip lose to a consumer GPU? It comes down to optimization and how these systems are designed.

Password cracking is typically implemented using INT32 (32-bit integer) operations. To find a match, the hardware needs to generate a candidate, hash it, and compare it. This process gains zero benefit from floating-point optimizations.

AI accelerators, however, are designed for a very specific, narrow workload: Large Language Models.

• Wide Single Instruction, Multiple Data (SIMD): They are built to perform SIMD operations across massive datasets.
• Tiny datatypes: They use “small” math (FP4, FP8 or FP16 floating points) to pack as much data as possible into a calculation. This enables them to pack massive numbers of values into vector operations, which delivers extremely efficient matrix calculations across huge datasets.
• Memory over compute: They sacrifice general-purpose flexibility for High Bandwidth Memory to avoid the “lag” of seeking data from storage.

Think of an AI accelerator as a professional racing bicycle. It is stripped of everything (e.g. baskets, kickstands) unnecessary to do one thing: go fast over long distances. If you try to use it to haul groceries or ride a rough trail (the “general compute” of password cracking), it performs worse than a standard bike (the RTX 5090).

In effect, AI accelerators trade flexibility for specialization.

What is the best GPU for password cracking?

The Nvidia RTX 5090 is one of the best GPUs for password cracking currently on the market. Consumer GPUs are designed to support a broad range of workloads, including gaming, rendering, and general-purpose computing. Because of this, they maintain more balanced support for different instruction types, including the integer operations required for password hashing. This makes them more versatile when running tools like Hashcat.

If an AI accelerator is a professional racing bicycle, a consumer GPU like the RTX 5090 is more like a cyclocross bike. It may not be perfectly optimized for one specific workload, but it performs well across a wide variety of tasks. When it comes to password cracking, that versatility gives consumer GPUs the advantage.

Enforce compliance requirements and block compromised passwords in Active Directory.

What this means for password security

The growth of AI infrastructure does not suddenly make password hashing obsolete. Even if AI accelerators become more widely available through cloud platforms or secondary markets, they are not particularly well suited to password cracking workloads.

This hardware is built for a very specific computational workload and does not repurpose well for general compute. There is no looming threat on the horizon of the AI hardware coming for your passwords.

Attackers attempting to recover hashes will likely continue using consumer GPUs or GPU clusters rather than specialized AI accelerators. However, this does not mean organizations can ignore password security.

As the RTX 5090 shows, consumer hardware is still terrifyingly fast. Armed with Nvidia’s flagship GPU, attackers can target weak algorithms such as MD5 and NTLM with hundreds of billions of guesses per second.

A standard gaming PC can still shred a weak hash in seconds. Furthermore, smart hardware isn’t needed if an attacker has a high-quality wordlist; at that point, the time-to-crack becomes nearly instant through simple password reuse. Even moderately complex passwords can be recovered quickly if they are predictable or reused.

Passwords aren’t obsolete

Organizations should focus on strengthening password policies that address real risks, not hypothetical threats from AI hardware. To stay secure in today’s high-compute environment, organizations should focus on three areas:

Enforce longer passwords or passphrases: As hardware gets faster, passwords must get longer. Passphrases of 15+ characters dramatically increase the time required for brute force attacks, even with powerful GPUs.

Specops Password Policy extends native Active Directory (AD) policies with granular controls, including custom dictionaries that block industry-specific terms, seasonal patterns, and common character substitutions, helping users create truly unique credentials.

Block known compromised passwords: Prevent users from choosing passwords that already exist in breach datasets. Specops Password Policy with Breached Password Protection continuously checks passwords against a database of 5.4 billion compromised credentials. Passwords are blocked at creation and continuously scanned throughout their lifecycle in AD to detect exposure in new breach datasets or infostealer logs.

Implement layered identity security: Passwords should not stand alone. Multi-factor authentication helps prevent attackers from gaining access even when credentials are compromised. Specops Secure Access adds an additional verification step for Windows logon, RDP, and VPN access, helping organizations strengthen identity security alongside Specops Password Policy and Specops Breached Password Protection.

Book a demo to see how you can strengthen password security and block compromised credentials.