PHILADELPHIA, PA — A roughly $2,100 server processor outperformed an eight-GPU system in Specops Software tests of the Argon2id password-hashing algorithm, spotlighting how memory-intensive security controls can blunt the advantage of expensive graphics hardware without eliminating the risk posed by weak or stolen credentials.
The Outpost24-owned password-security company measured 730 hashes per second using an AMD EPYC processor, compared with 490 hashes per second on a system equipped with eight Nvidia RTX 5090 graphics cards. Specops did not identify the specific EPYC model or disclose the full configuration and cost of the GPU system.
Argon2 is designed to consume substantial memory during password hashing, limiting the speed gains attackers can obtain by adding high-powered graphics processors. Argon2id, its recommended general-purpose variant, combines defenses against multiple forms of password-cracking attacks.
Specops reported that Argon2id processed about 490 hashes per second on the GPU system, compared with 221 billion hashes per second for SHA256 on the same hardware. That made Argon2id approximately 451 million times slower under the company’s test conditions.
At those rates, a password requiring one second to test against SHA256 would require more than 14 years against Argon2id, according to Specops’ calculation. The comparison illustrates the algorithm’s potential to raise the computing cost of brute-force attacks, though actual cracking times depend heavily on password strength, algorithm settings and available hardware.
The processor result also shows that attackers may be able to improve performance by using hardware better suited to memory-intensive workloads rather than relying exclusively on GPUs.
“Argon2 is a real step forward that makes brute forcing far more expensive than older algorithms,” Darren James, senior product manager at Specops, stated. “But harder is not the same as impossible, and no hashing algorithm can protect a password an attacker already has.”
Hashing provides no additional protection when an attacker obtains a password through phishing, information-stealing malware or an earlier data breach. Weak and predictable passwords also remain vulnerable to targeted guessing despite the slower processing rate.
Specops recommended minimum password lengths of 15 characters and argued that organizations should combine stronger hashing with controls that prevent employees from using exposed or easily guessed credentials.
The company released the findings as it added more than 60 million compromised passwords to its Breached Password Protection service, which checks credentials used in Microsoft Active Directory against known breached passwords.
Specops reported that its compromised-password database now contains more than 6 billion entries and is updated with data from its honeypot network and outside threat-intelligence sources. The company provides identity and password-security services to more than 3,000 organizations across 65 countries.
Support the local news that supports Chester County. MyChesCo delivers reliable, fact-based reporting and essential community resources—free for everyone. If you value that, click here to become a patron today.
