What makes a password strong enough to withstand the relentless advances of modern hackers? Until recently, most experts would have pointed to a complex, lengthy string of characters—ideally hashed with an algorithm like bcrypt—as the gold standard. But a new wave of affordable, high-powered hardware and the rising sophistication of phishing attacks are upending conventional wisdom, putting millions of accounts at risk and prompting urgent warnings from tech giants like Google.
On September 17, 2025, Cybernews published a sobering report: the availability of consumer-grade graphics cards, such as Nvidia’s RTX 5090, is making it easier and cheaper than ever for cybercriminals to brute-force even the most robust password hashes. Once reserved for research labs and enterprise clusters, these GPUs can now be rented by anyone on platforms like vast.ai for just a few dollars an hour. Companies often set up machines with multiple GPUs for AI model training, and when those machines sit idle, they’re rented out to offset costs—unwittingly giving hackers the raw power they need to break into accounts.
Specops, a cybersecurity firm, recently put this theory to the test. Their researchers spun up a cloud instance armed with eight RTX 5090 GPUs and set it loose on a 750,000-entry sample from the notorious Rockyou password list. They generated bcrypt hashes with cost factors of 10, 12, and 14—settings previously considered more than sufficient to deter brute-force attacks. The results were alarming: the RTX 5090s proved about 65% faster than their predecessor at cracking these hashes, drastically reducing the time needed to break passwords once thought uncrackable.
“Post the release of the RTX 50-series cards, the availability and affordability of high-performance computing hardware have further increased, evolving the discussion of what should be considered a strong password,” Specops noted in its report, as quoted by Cybernews. In other words, what felt ironclad yesterday may be child’s play for today’s well-equipped attacker.
But brute force is just one weapon in the modern hacker’s arsenal. According to Specops, attackers often combine brute force with dictionary attacks, rule-based variations, and targeted wordlists built from leaked corporate data. That means even passwords that meet traditional complexity requirements—uppercase, lowercase, digits, special characters—aren’t necessarily safe if they’re based on predictable patterns or personal information.
So, what’s a user to do? Specops researchers recommend several best practices: use passwords with a minimum length of 18 characters, include multiple character classes, avoid organization- or personally relevant words, and rely on password generators to create truly random strings. And, perhaps most importantly, check to see if any of your previous passwords have been breached—and never reuse them.
The stakes couldn’t be higher, especially when it comes to email. As MSN reported on September 18, 2025, Google is now warning its 2.5 billion Gmail users to stop relying on passwords altogether—not because of a direct breach of Gmail credentials, but due to a sharp increase in sophisticated phishing and impersonation attacks following a major Salesforce breach earlier this year.
The breach, orchestrated by the hacker group ShinyHunters (also known as UNC6040), compromised Salesforce systems and exposed business-related Gmail data, including contact lists, company associations, and email metadata. While no actual Gmail passwords were stolen, the stolen information is a goldmine for attackers crafting convincing phishing emails and fraudulent phone calls, or “vishing” attempts, that mimic Google’s own communication style. Some even use spoofed 650-area-code numbers to appear more legitimate.
Google’s own data paints a stark picture: phishing and vishing now account for about 37% of successful account takeovers across its services. With the Salesforce breach data in hand, hackers can tailor attacks that reference your real employer, colleagues, or recent communications—making it far more likely that you’ll trust the message and unwittingly hand over your credentials.
Cloudflare CTO John Graham-Cummings put it bluntly in an interview cited by MSN: “If you do not have a good password on your email, the rest of your life is pretty much wide open, because every single service out there does reset password by sending you an email. So if I can compromise your email, I can compromise pretty much everything else you have.”
Google’s response? Don’t just change your password—ditch passwords entirely if you can. The company has been pushing users toward passkeys, a new form of authentication that leverages device biometrics instead of memorized secrets. “A passkey, from an end user point of view, looks like the biometrics on your device,” explained Jeff Shiner, CEO of 1Password, in an interview referenced by MSN. “The cool thing about a passkey is that to the end user, you never have a password for that service. You just use your biometrics, and then a passkey is created. But, from a security point of view, it’s actually stronger than a password—even a strong password—because it can’t be phished.”
Still, most users aren’t ready to abandon passwords overnight. For those who must stick with them, Google offers a five-step security checklist: reset your Gmail password regularly with something unique and complex; turn on two-factor authentication (preferably using an authenticator app or passkey, not SMS codes); be skeptical of unsolicited messages, especially those that urge you to click links or share information over the phone; use Google’s Security Checkup tool to monitor account activity; and stay alert for suspicious behavior, such as unexpected login notifications or password reset requests.
These recommendations aren’t just theoretical. As the Cybernews and MSN reports make clear, attackers are already exploiting the new landscape. Affordable GPU rentals and leaked business data have made it possible for even small-time cybercriminals to launch attacks that once required nation-state resources. And with more than 2.5 billion accounts in play, Gmail remains one of the world’s most tempting targets.
This shift in the threat landscape is forcing organizations and individuals alike to rethink their approach to digital security. Passwords—once the cornerstone of online protection—are quickly becoming the weakest link. The combination of brute-force advances and highly targeted phishing means that even the most diligent users can fall victim if they rely solely on outdated defenses.
Ultimately, the message from experts is clear: vigilance is no longer optional, and complacency is a hacker’s best friend. Whether you’re protecting a corporate network or your personal inbox, it’s time to embrace stronger, more resilient security practices. That means longer, more complex passwords where necessary, but also a willingness to adopt new technologies like passkeys and app-based two-factor authentication. As the landscape continues to evolve, only those willing to adapt will stay a step ahead of the attackers.
In the fast-moving world of cybersecurity, yesterday’s best practices are today’s vulnerabilities. Staying safe means staying informed—and never underestimating the ingenuity of those on the other side of the screen.