That password your organization told you was "strong"?
The one with 15 characters, mixed case, numbers, and special characters? It's not strong anymore. In fact, it hasn't been strong for a while, but the security industry has been slow to update its recommendations.
With NVIDIA's RTX 5090 available at the start of the year, we've crossed a critical threshold. GPU-based password cracking has become so efficient and accessible that the old standards are effectively obsolete. It's time for a reality check about what actually constitutes a secure password in 2025.
Modern GPU Password Cracking: The Real Numbers
Let's start with the hard data. Here's what current GPU setups can achieve when cracking password hashes:
Hash Cracking Speeds (2025 Hardware)
| GPU Configuration | MD5/NTLM Speed | SHA-256 Speed | bcrypt (cost 10) | Argon2id |
|---|---|---|---|---|
| RTX 4090 | ~136 GH/s | ~23 GH/s | ~180 H/s | ~15 KH/s |
| RTX 5090 | ~190 GH/s | ~32 GH/s | ~250 H/s | ~21 KH/s |
| 8× RTX 4090 cluster | ~1.1 TH/s | ~184 GH/s | ~1.4 KH/s | ~120 KH/s |
| 8× RTX 5090 cluster | ~1.5 TH/s | ~256 GH/s | ~2 KH/s | ~168 KH/s |
Note: GH/s = billion hashes per second, TH/s = trillion hashes per second, KH/s = thousand hashes per second
What This Means in Practice
For a typical 15-character password like MyP@ssw0rd!2025:
- Against MD5/NTLM (still common in corporate environments): Cracked in hours to days
- Against SHA-256: Cracked in weeks to months
- Against bcrypt: Years, but only if truly random
- Against Argon2id: Safe for now, but most systems don't use it - yet!
The problem? Most organizations are still using fast hashes like NTLM for Active Directory or ancient systems with MD5. Even those using SHA-256 aren't safe from determined attackers with GPU clusters.
Why Dictionary Words Are Dead
The classic XKCD "correcthorsebatterystaple" approach was revolutionary when it was published. Today, it's a liability.
Why? this is why:
The Dictionary Attack Evolution
Modern password crackers don't just try random combinations. They use:
- Curated wordlists: Not 170,000 English words, but the 10,000 most common password words
- Hybrid attacks: Dictionary words + common patterns (years, symbols at the end)
- Rule-based mutations: Automatic substitutions (@ for a, 3 for e, etc.)
- Markov chains: Predicting likely word combinations based on human patterns
The Math Doesn't Lie
Let's compare actual entropy:
| Password Type | Example | Theoretical Entropy | Practical Entropy | Time to Crack (2025 GPU cluster) |
|---|---|---|---|---|
| 4 dictionary words | correcthorsebatterystaple | 66 bits | ~40 bits | Days to weeks |
| 15 chars (human-made) | MyP@ssw0rd!2025 | 98 bits | ~45 bits | Hours to days |
| 20 random chars | K8$mN2@pL9&xR4Qw7Tz | 131 bits | 131 bits | Centuries |
| 30 random chars | (see example below) | 197 bits | 197 bits | Heat death of universe |
Example 30-character password: Kj8$mN2@pL9&xR4Qw7TzB5#vC6!nM3
The key difference: practical entropy vs theoretical entropy. Humans are predictable and use patterns. You will pick memorable words. You put numbers at the end and capitals at the beginning. Attackers know this.
The Case for 30 Characters
Here's why 30 characters should be your new minimum for critical accounts:
1. GPU Clusters Are Getting Faster
The RTX 5090 is 40% faster than the 4090 at password cracking. The next generation will be even faster. Cloud services now offer GPU clusters for rent by the hour.
2. Breach Data Is Everywhere
With billions of passwords leaked in breaches, attackers have unprecedented data about human password patterns. They know:
- Which words people actually use
- Common substitution patterns
- How people modify passwords between sites
- Cultural and demographic password preferences
3. Quantum Computing Is Coming
While not here yet, quantum computers will devastate current encryption. A 30-character password provides a buffer against both current and near-future threats.
4. Memory Is No Longer an Excuse
Password managers are ubiquitous. You literally never need to remember or type these passwords. There's zero usability cost to going from 15 to 30 characters when it's all handled by software.
Universal Rules
- No dictionary words, ever. Not even "random" ones (excluding master password)
- Fully random generation only. Let the password manager do it.
- Unique passwords everywhere. No exceptions.
- Enable MFA/passkeys wherever possible.
Special Cases and Exceptions
Master Passwords
For your password manager's master password, if this does need to be a password use this method:
- Use 8+ words from the EFF long word list (7,776 words)
- Supporting Post : https://www.a6n.co.uk/2025/12/the-15-word-fortress-creating.html
- Example:
glazier-caucus-reopen-county-urgency-wrath-retouch-buckskin - Entropy: ~103 bits
Accounts with Good MFA
If an account has proper MFA (not SMS), you can use 20 characters instead of 30. The MFA provides an additional security layer that compensates for the shorter password.
The Myth of Password Complexity Rules
Security policies requiring "at least one uppercase, one lowercase, one number, and one symbol" actually reduce security. Here's why:
- Predictable patterns: Humans put capitals at the beginning, numbers at the end
- Reduced keyspace: Rules eliminate purely random strings
- False security: Makes 8-character passwords seem "strong"
- User frustration: Leads to password reuse and weak variations
- Active Directory environments only require 3 or the 4 - making it less secure
The only rule that matters: length and randomness.
What About Passphrases?
The industry push toward "memorable passphrases" was a compromise between security and usability. In 2025, this compromise is no longer necessary or acceptable.
Problems with passphrases:
- Still vulnerable to dictionary attacks
- Humans pick predictable words
- Grammar patterns reduce entropy
- Different languages have different vulnerabilities
- Pop culture references are particularly weak
The solution: Stop trying to remember passwords. Use a password manager.
Technical Implementation Notes
- Audit your hash algorithms - upgrade legacy systems
- Increase minimum password lengths to 20 characters
- Deploy password managers organization-wide
- Implement SSO and MFA wherever possible
- Regular security training on why length matters more than complexity
Beyond Passwords?
While this article focuses on passwords, the real future is passwordless:
- Passkeys: WebAuthn/FIDO2 credentials tied to devices
- Biometric authentication: Face/fingerprint with proper implementation
- Hardware tokens: Physical security keys
But until these technologies are universal, passwords remain critical. Make them long, random, and unique.
Common Objections, Answered
"30 characters is overkill!" Not against modern GPU clusters. It's the minimum for long-term security.
"My users will revolt!" They don't need to remember them. Deploy password managers.
"Our system doesn't support long passwords!" Then your system is broken. Fix it or accept the risk.
"We have MFA, so passwords don't matter!" MFA can be bypassed through social engineering, SIM swapping, or malware. Defense in depth matters.
"Dictionary words with numbers and symbols are fine!" No. Hybrid attacks specifically target these patterns.
Conclusion
The password security landscape has fundamentally changed. GPU technology has advanced faster than security recommendations. The RTX 5090 and its successors will only accelerate this trend.
Your choice is simple:
- Adapt to 30+ character random passwords now
- Accept that your accounts will be compromised
There is no middle ground. The math is unforgiving, and attackers don't care about your convenience.
TL;DR
- Minimum 30 random characters for critical accounts
- No dictionary words, even in "random" combinations
- Use a password manager - no exceptions
- Unique passwords everywhere
- Enable MFA/passkeys as additional layers
- The RTX 5090 and future technology has changed the game - adapt or get hacked!