Everyone sees passwords every day, but honestly, do you really understand them?

It's just a cyber key, guarding your little secrets you'd rather keep hidden—your flirty chats, your late-night emotional rants, and even those "study materials" in your cloud drive. Without it, your digital identity is exposed in minutes.

But today, the editor is going to pour cold water on everyone: In front of an RTX 5090 graphics card, the carefully designed password you made may not be as strong as that rusty key on your front door.

Here's the thing: Kaspersky, the veteran antivirus software provider, recently conducted an absurd test: using an RTX 5090 to brute-force passwords.

Guess what?

Out of the 231 million real leaked password samples online, 60% were all cracked within an hour.

What's even more surprising is that 48% of the passwords didn't even last 60 seconds before surrendering completely.

So, guys who set "love5201314" as their password, don't think you're creating romance. You're basically stripping naked and handing yourself over to hackers on a platter.

So the question is, why does a graphics card that you use for gaming and running AI become a password cracker in the hands of hackers?

Let's dig into this today.

Because the databases of legitimate websites nowadays don’t store your plain-text passwords at all, buthash values (Hash)instead.

You can think of a hashing algorithm asa super precise digital paper shredder. You throw a password into it, and it shreds it into a jumble of ciphertext, like 2c103f2c4ed1e59c...

This thing has an awesome feature: one-way and irreversible.

You can't reverse-engineer the original password from the hash value, just as you can't turn the paper scraps in a paper shredder back into their original form.

When you log in to a website, the backend hashes the password you entered again and compares it with the one stored in the database. If they match, you're granted access.

What do hackers do then?

Crazy guess.

This is brute-force cracking, running through all possible password combinations, an exhaustive method, simple and crude but effective.

So, can a CPU handle this massive amount of computation?

The answer is: No, it's way off.

A CPU is like a highly educated all-round PhD who is good at complex logical judgments. But no matter how powerful it is, it only has a few dozen cores and can only handle a few tasks at a time.

What about graphics cards? Thousands of small cores fight side by side.

Take the RTX 5090 as an example, it has 21,760 CUDA cores.

Don't underestimate a single CUDA core—it's not the smartest, but there are just so many of them! It's naturally built to handle massive amounts of simple, repetitive calculations.

Let's look at the data:

RTX 5090 MD5 cracking speed: 220 billion operations per second (220 Gh/s)

In other words, it can attempt and verify 220 billion password combinations per second.

What about an 8-digit all-numeric password? At most 100 million combinations.

5090, done in the blink of an eye.

So you think you have a complex password?

In the eyes of 5090, you're basically running naked.

Don't rush to change your password just yet. Let me finish.

Kaspersky used the MD5 algorithm for this test.

What is MD5? It's an old relic in the cybersecurity world, with an extremely fast calculation speed. For GPU-based cracking, it's simply like "a fat pig walking into a slaughterhouse — walking right into the knife".

And nowadays, many regular websites are using "slow hashing" algorithms like bcrypt and Argon2. What does "slow" mean? They are deliberately designed to be slow—even 5090 has to wait in line, and its efficiency is cut to a fraction.

Kaspersky's move this time is more like a reminder to websites still using MD5: guys, it's time to upgrade.

In addition, the difficulty of brute-force attacks increases exponentially.

An 8-digit password using only numbers has 100 million combinations, and the 5090 can crack it easily.

But if we add uppercase and lowercase letters, numbers and symbols, the number of combinations directly surges to about 218 trillion, which is a million times harder than pure numbers.

What if you increase the length to more than 12 characters? Then the number of combinations becomes even more absurd. Even if you give me 100 RTX 5090 cards running at full capacity non-stop, it would take forever to crack them.

Conclusion: The essence of your password being cracked is that you're too lazy

Put simply, the fundamental reason why most people's passwords are easy to crack is laziness.

Using the same password across all platforms, or simply using something like abcd5678 or qwerty123, is not a password in the eyes of hackers—it's a backdoor to log in without credentials.

Finally, a few life-saving tips:

Make the password length more than 12 characters, use uppercase and lowercase letters, numbers and special symbols, add as many as possible.

Don't store all your passwords in the browser at once, some browsers will directly load all your plaintext passwords into memory, and hackers can copy them all with a memory reading tool.

Get a password manager if you can, use a different password for each website, and drive hackers crazy trying to guess them

Alright, that's all for today's popular science explanation.

If you find this useful, share it with your friends who still use 123456.