766 trillion years to find a 20-character code like a randomly generated password with Freemindtronic Andorra's EviCypher technology

766 trillion years to find 20-character code like a randomly generated password

766 trillion years to find randomly generated 20-character code like randomly generated password

766 trillion years to find randomly generated 20-character code is the result of a simulator to find a 20-character generated by EviCypher.

The age of the universe is estimated at only 14 billion years, this gives you an idea of comparison.

How did I find this result that you can control on your own?

We used the Password Strength Calculator developed by Bob Beeman [1] which was last updated on January 4, 2013.

This simulator is freely available on the www.bee-man.us website as well as the source code used.

Why did you choose this simulator?

There are other simulators such as lastbit.com [2], password-checker.online-domain-tools.com [3] and in particular that of ANSSI [4] ssi.gouv.fr. But I opted for Mr. Bob BEEMAN’s simulator for the transparency of his calculation method and the technical approach to brute force attacks.

First of all, we must thank the author of this code, Mr. Bob BEEMAN, who allows us to freely access and copy his code while respecting his copyrights, which he explains on his website. Hoping that we will help surpass his record of 15 milliseconds of ūüėČ glory.

Now that you’re in the ability to check his code, let’s look at his reference to an ultra-powerful computer designed in 2012 dedicated to attacking passwords.

This approach seemed important to me, to give you an idea of the state of the art and technology to attack, in brute force, a password.

Bob Beeman’s simulator takes into account the computational capability of a computer, including the one designed in 2012, to carry out brute force attacks on passwords. To do this, you just need to change The Values of Hacker: Axes /Second. An important point if you want to do the math again with a more powerful computer. This gives you a point of reference and comparison.

I voluntarily stayed on the default example proposed by Bob Beeman at 60-109 (billion) /second.

To get the result, you choose 94 symbols, number of password characters 20 and 50% probability of success compared to the theoretical result. You will get in years 766.076,000,000,000,000 or 766 trillion [5] years.

This approach also has the advantage of giving you an idea of the financial means to set up a computer system capable of finding the password.

If you consider the reference computer, Gosney’s configuration uses a pool of 25 virtual AMD GPUs to force even very strong passwords. With a single computer of this type, it is only capable of generating 348 billion hashs of NTLM passwords per second.¬†However, at about $30,000 per unit in 2012, for an expected result in 766 year-round trillons. You have to plan to buy several.

So, to find only the 20-character password generated with the EviTag NFC or EviCard NFC solution, over a year, you would have to invest nearly $25 Billiards when you know that the global cost of military spending [6] is estimated at $1.7 Billion!

You now have a clearer idea of the level of resistance to brute force attacks on passwords generated by our solutions. Heard, that this test is carried out without the activation and use of our other countermeasures of brute force attacks such as physical blockchain and jamming.

This will probably be the subject of a new article.

To finish illustrating this article, I use another point of reference. The ANSSI website [7]  whose simulator limited to 20 characters and 90 symbols will give us a score of 130 which is the maximum. This note compares this type of password to the smallest key size of the standard AES (128-bit) encryption algorithm. Our password generators exceed this maximum of 130, since we have 20 characters with 94 symbols [8].

The purpose of this article is to allow you to form your own opinion on the level of resistance of our password generators in the face of a brute force attack.

Of course, we are not the only ones; other powerful password generators exist. This is why the test is at the same level of comparison as the other generators, with equivalent implementation.

The password generator embedded in our solutions is updated to maintain a level of complexity in order to withstand the evolution of brute force attacks, whether at the technical or mathematical level and above all without changing the comfort of use. This last, and most important, point is the most complex to implement.

To implement the creation of our passwords we currently use ISO/CIS 646-02 or ISO/CIS 646-06 (ASCII) [9] which has 95 characters. Our solutions use 94. This standard provides near certainty that these original ASCII characters are present in all computer systems and printable.

Thus, our solutions remain as nomadic as possible. Indeed, our solutions are already translated into 11 languages. Some of which will soon involve the integration of an extended ASCII such as Arabic, Chinese, Japanese, Korean and Russian.

We have three options for creating passwords. The first, the user chooses his password with the 94 characters available. The second, semi-automatic, the user generates a password, then changes it. The last, the user performs everything completely automatically, according to default criteria that he can set up to 20 characters.

The user can choose the type of password generation and/or identifiers, letters and/or numbers without the symbols. This is in order to adapt to the constraints of websites that do not accept all symbols and limit the number of characters.

We have also implemented a hexadecimal generator to help program digicodes. The latter can be used in different cases, electronics, electromechanics, maintenance services to create or modify the codes of a digicode. This makes it very easy to manage a building’s access codes. Changing a code to make it always unique becomes very easy for Madame MICHU. In addition, it is possible to share this code to all residents of the building, safely thanks to the “jamming” function with Freemindtronic’s EviAlpha technology or by QR Code encrypted with Freemindtronic’s EviCypher technology.

This article is deliberately not technical in nature. I wanted to provide additional information about a particular service, about our password and hexadecial code generators. We did not address, for example, the implementation of the password generator, such as the implementation of entropy, jamming or trust criteria set up with EviCypher technology.

Service communication EviCypher

To learn more about our solutions:

[1] https://www.bee-man.us/computer/password_strength.html

[2] http://lastbit.com/pswcalc.asp

[3] http://password-checker.online-domain-tools.com

[4] https://www.ssi.gouv.fr/administration/precautions-elementaires/calculer-la-force-dun-mot-de-passe

[5] https://www.btb.termiumplus.gc.ca/tpv2guides/guides/clefsfp/index-fra.html?lang=fra&lettr=indx_catlog_m&page=9-nI6-pQZOTM.html

[6] https://www.lesechos.fr/24/04/2017/lesechos.fr/0212007699237_les-depenses-militaires-atteignent-2-2–du-pib-mondial.htm

[7] https://www.ssi.gouv.fr/administration/precautions-elementaires/calculer-la-force-dun-mot-de-passe/

[8] EviCypher uses all the symbols of the printable ASCII table, i.e., 94 symbols. The NFC EviCypher device can store contactless up to 48 randomly generated characters with the EviCypher app.

[9] https://fr.wikipedia.org/wiki/American_Standard_Code_for_Information_Interchange