2021, Articles, Cyberculture, Digital Security, EviPass, EviPass NFC HSM technology, EviPass Technology, Technical News
766 trillion years to find 20-character code like a randomly generated password
May
766 trillion years to find randomly generated 20-character code like randomly generated password
766 trillion years to find randomly generated 20-character code is the result of a simulator to find a 20-character generated by technology EviPass.
The age of the universe is estimated at only 14 billion years, this gives you an idea of comparison.
How did I find this result that you can control on your own?
We used the Password Strength Calculator developed by Bob Beeman [1] which was last updated on January 4, 2013.
This simulator is freely available on the www.bee-man.us website as well as the source code used.
Why We Chose Bob Beeman’s Simulator
In our quest to estimate the time it would take to crack a random 20-character code, we had several simulation tools at our disposal, including lastbit.com [2], password-checker.online-domain-tools.com [3], and ANSSI’s [4] simulator from ssi.gouv.fr. However, we ultimately opted for Mr. Bob BEEMAN’s simulator due to its transparent calculation method and its technical approach to brute force attacks.
Acknowledging Mr. Bob BEEMAN
Before delving into the details of our simulation, we must extend our gratitude to Mr. Bob BEEMAN for making his code freely accessible and copyable while upholding his copyrights, as explained on his website. We hope our research can contribute to his already impressive achievements, including a record-breaking 15-millisecond feat.
Reference to Ultra-Powerful Computers
To provide you with a comprehensive understanding of the state-of-the-art technology for brute force attacks in 2013, we examined Bob Beeman’s simulator’s reference to an ultra-powerful computer designed in 2012 specifically for password cracking.
Considering Computational Capacity
Bob Beeman’s simulator takes into account the computational capabilities of computers, including the 2012 design, for executing brute force attacks on passwords. It allows for adjustments in the “Values of Hacker: Axes/Second,” providing a valuable point of reference and comparison.
Staying with Default Parameters
For the sake of consistency, we maintained the default example provided by Bob Beeman, which assumed a rate of 60-109 (billion) attempts per second.
Radeon City: Revolutionizing Password Security
In this section, we’ll delve into the incredible story of Radeon City, a game-changing password-cracking cluster boasting 25 AMD Radeon graphics cards. Discover how it was built, what it can achieve, and why it’s reshaping the world of password security.
Building Radeon City
Jeremi Gosney, the visionary behind Radeon City and the CEO of Stricture Consulting Group, sought to create a powerhouse capable of cracking passwords with unprecedented speed and efficiency. His solution? Virtual OpenCL (VCL), a groundbreaking virtualization software.
Gosney assembled five servers, each armed with five AMD Radeon HD7970 graphics cards, interconnected through VCL. The cluster, aptly named Radeon City, was born at a cost of approximately $30,000 in 2012.
Unleashing Radeon City’s Power
Radeon City is a juggernaut, capable of generating an astounding 350 billion guesses per second when cracking NTLM cryptographic algorithm hashes. In just 5.5 hours, it can test every combination of eight-character passwords, including uppercase and lowercase letters, digits, and symbols.
But it doesn’t stop there. Radeon City can crack a range of cryptographic algorithms, from MD5 and SHA1 to SHA2 and even SHA3, at unprecedented speeds. It employs various attack types, including brute force, dictionary, rule-based, combinator, and hybrid attacks, using extensive wordlists and intricate rules.
Radeon City isn’t confined to offline attacks. It can also perform online attacks through distributed cracking, where passwords are guessed on live systems.
Why Radeon City is a Game-Changer
Radeon City marks a seismic shift in password security. It reveals the vulnerability of passwords protected by fast algorithms like NTLM and challenges the belief that longer, complex passwords equate to greater security. The key takeaway? Truly secure passwords are random strings absent from dictionaries.
Moreover, Radeon City advocates for slow and salted algorithms like Bcrypt, PBKDF2, or SHA512crypt, and underscores the importance of password management tools like EviPass.
Radeon City Specifications
Jeremi Gosney, a data security researcher, engineered a groundbreaking desktop rig that can swiftly dismantle older protocols. Leveraging the Open Computing Language (OpenCL) framework and Virtual OpenCL Open Cluster (VCL), Gosney deployed HashCat—a dedicated password-cracking program. The system comprises five quad-core servers, each housing 25 AMD Radeon GPUs, providing the immense computational power required for the task. These servers are interconnected with a 10 to 20 Gbps transfer rate facilitated by an Infiniband switch.
Here’s a snapshot of Radeon City’s technical specifications:
- Servers: 5
- Graphics Cards: 25 AMD Radeon GPUs
- Model: AMD Radeon HD7970
- Memory: 3 GB GDDR5
- Clock Speed: 925 MHz
- Compute Units: 32
- Stream Processors: 2048
- Peak Performance: 3.79 TFLOPS
- Virtualization Software: Virtual OpenCL (VCL)
- Password-Cracking Software: ocl-Hashcat Plus
- Cost: $30,000 (2012)
This powerhouse enables Radeon City to achieve unprecedented speeds in password cracking, making it a game-changer in the realm of data security.
Advantages and Disadvantages of Radeon City
Advantages:
- Power: Radeon City cracks passwords using both fast and slow algorithms.
- Flexibility: It executes a variety of attacks with extensive wordlists and complex rules.
- Innovation: Using virtualization technology, it overcomes hardware limitations.
Disadvantages:
- Cost: Building and operating Radeon City can be expensive, including high electricity costs.
- Noise: It generates significant noise, requiring specialized cooling and soundproofing.
- Ethical Considerations: While powerful, its capabilities raise ethical and legal questions about its potential misuse.
Simulation Parameters and Results
To calculate the estimated time required to find a 20-character code with 94 symbols, we used the formula:
a^b / (c * 2)
Where:
- “a” represents the number of possible characters,
- “b” denotes the number of characters in the password,
- “c” indicates the number of hash calculations achievable per second.
By selecting 94 symbols, a password length of 20 characters, and a 50% probability of success compared to the theoretical result, our simulation yielded an astonishing result: 766.076,000,000,000,000 years or 766 trillion [5] years.
Understanding the Financial Implications
This simulation approach not only provides insights into the time required but also sheds light on the financial investments necessary to establish a computer system capable of cracking such a password.
Consider this: The reference computer, as configured by Gosney, relies on a pool of 25 virtual AMD GPUs to crack even robust passwords. Yet, a single unit of this type, priced at approximately $30,000 in 2012, can generate just 348 billion hashes of NTLM passwords per second. To achieve results within the realm of 766 trillion years, one would need to acquire multiple such machines.
Hence, to decipher only a 20-character password generated with EviPass technology, residing within an EviTag NFC HSM or EviCard NFC HSM device, an investment of nearly $25 billion would be required. A remarkable comparison, given that global military expenses were estimated at 1.7 billion dollars [6].
Beyond Brute Force
It’s important to note that this test focused solely on brute force attacks without taking into account the activation and utilization of additional countermeasures, such as physical blockchain and jamming, which will be explored in future articles.
A Point of Reference: ANSSI’s Simulator
To provide further context, we examined the ANSSI website [7], whose simulator is limited to 20 characters and 90 symbols. This simulator yielded a score of 130, the maximum attainable. This score places passwords of this nature on par with the smallest key size of the standard AES (128-bit) encryption algorithm. Notably, our password generators exceed this maximum, boasting 20 characters with 94 symbols [8].
Forming Your Own Opinion
The aim of this article is to empower you to form your own assessment of the resilience of our password generators against brute force attacks. While we are not the sole providers of powerful password generators, our test stands as a benchmark against other comparable implementations.
Ensuring Ongoing Security
Our embedded password generator undergoes regular updates to maintain its complexity and withstand the evolving landscape of brute force attacks. Our commitment is to enhance security without compromising user convenience—a complex yet vital undertaking.
Diverse Password Generation Options
Our password creation options offer versatility. Users can either select passwords from the pool of 95 available characters, opt for a semi-automatic generation followed by modification, or automate the process entirely according to default criteria, allowing passwords of up to 20 characters.
Adaptability to Website Constraints
For websites that impose restrictions on symbols or character limits, users can customize their password generation preferences, choosing between identifiers, letters, and/or numbers, with or without symbols.
Hexadecimal Generator for Added Utility
We’ve also introduced a hexadecimal generator to facilitate programming of digital codes. This feature proves invaluable in various domains, including electronics, electromechanics, and maintenance services, enabling the creation and modification of digital access codes with ease. Furthermore, codes can be securely shared with building residents through functions like “scrambling” or encryption via a QR Code, all made possible by EviCore technologies from Freemindtronic.
To learn more about our solutions, please visit:
- [1] https://www.bee-man.us/computer/password_strength.html
- [2] http://lastbit.com/pswcalc.asp
- [3] http://password-checker.online-domain-tools.com
- [4] https://www.ssi.gouv.fr/administration/precautions-elementaires/calculer-la-force-dun-mot-de-passe
- [5] https://www.btb.termiumplus.gc.ca/tpv2guides/guides/clefsfp/index-fra.html?lang=fra&lettr=indx_catlog_m&page=9-nI6-pQZOTM.html
- [6] https://www.lesechos.fr/24/04/2017/lesechos.fr/0212007699237_les-depenses-militaires-atteignent-2-2–du-pib-mondial.htm
- [7] https://www.ssi.gouv.fr/administration/precautions-elementaires/calculer-la-force-dun-mot-de-passe/
- [8] EviPass uses all the symbols of the printable ASCII table, i.e., 95 symbols. The NFC EviPass device can store contactless up to 51 randomly generated characters with the Freemindtronic app.
- [9] https://fr.wikipedia.org/wiki/American_Standard_Code_for_Information_Interchange
