Category Archives: Cyberculture

766 trillion years to find 20-character code like a randomly generated password

A server rack filled with multiple GPUs connected by yellow and black cables, illustrating the complexity and power needed to crack a 20-character code in 766 trillion years.

766 trillion years to find randomly generated 20-character code like randomly generated password

766 trillion years to find randomly generated 20-character code is the result of a simulator to find a 20-character generated by technology EviPass.

The age of the universe is estimated at only 14 billion years, this gives you an idea of comparison.

How did I find this result that you can control on your own?

We used the Password Strength Calculator developed by Bob Beeman [1] which was last updated on January 4, 2013.

This simulator is freely available on the www.bee-man.us website as well as the source code used.

Why We Chose Bob Beeman’s Simulator

In our quest to estimate the time it would take to crack a random 20-character code, we had several simulation tools at our disposal, including lastbit.com [2], password-checker.online-domain-tools.com [3], and ANSSI’s [4] simulator from ssi.gouv.fr. However, we ultimately opted for Mr. Bob BEEMAN’s simulator due to its transparent calculation method and its technical approach to brute force attacks.

Acknowledging Mr. Bob BEEMAN

Before delving into the details of our simulation, we must extend our gratitude to Mr. Bob BEEMAN for making his code freely accessible and copyable while upholding his copyrights, as explained on his website. We hope our research can contribute to his already impressive achievements, including a record-breaking 15-millisecond feat.

Reference to Ultra-Powerful Computers

To provide you with a comprehensive understanding of the state-of-the-art technology for brute force attacks in 2013, we examined Bob Beeman’s simulator’s reference to an ultra-powerful computer designed in 2012 specifically for password cracking.

Considering Computational Capacity

Bob Beeman’s simulator takes into account the computational capabilities of computers, including the 2012 design, for executing brute force attacks on passwords. It allows for adjustments in the “Values of Hacker: Axes/Second,” providing a valuable point of reference and comparison.

Staying with Default Parameters

For the sake of consistency, we maintained the default example provided by Bob Beeman, which assumed a rate of 60-109 (billion) attempts per second.

Radeon City: Revolutionizing Password Security

In this section, we’ll delve into the incredible story of Radeon City, a game-changing password-cracking cluster boasting 25 AMD Radeon graphics cards. Discover how it was built, what it can achieve, and why it’s reshaping the world of password security.

Building Radeon City

Jeremi Gosney, the visionary behind Radeon City and the CEO of Stricture Consulting Group, sought to create a powerhouse capable of cracking passwords with unprecedented speed and efficiency. His solution? Virtual OpenCL (VCL), a groundbreaking virtualization software.

Gosney assembled five servers, each armed with five AMD Radeon HD7970 graphics cards, interconnected through VCL. The cluster, aptly named Radeon City, was born at a cost of approximately $30,000 in 2012.

Unleashing Radeon City’s Power

Radeon City is a juggernaut, capable of generating an astounding 350 billion guesses per second when cracking NTLM cryptographic algorithm hashes. In just 5.5 hours, it can test every combination of eight-character passwords, including uppercase and lowercase letters, digits, and symbols.

But it doesn’t stop there. Radeon City can crack a range of cryptographic algorithms, from MD5 and SHA1 to SHA2 and even SHA3, at unprecedented speeds. It employs various attack types, including brute force, dictionary, rule-based, combinator, and hybrid attacks, using extensive wordlists and intricate rules.

Radeon City isn’t confined to offline attacks. It can also perform online attacks through distributed cracking, where passwords are guessed on live systems.

Why Radeon City is a Game-Changer

Radeon City marks a seismic shift in password security. It reveals the vulnerability of passwords protected by fast algorithms like NTLM and challenges the belief that longer, complex passwords equate to greater security. The key takeaway? Truly secure passwords are random strings absent from dictionaries.

Moreover, Radeon City advocates for slow and salted algorithms like Bcrypt, PBKDF2, or SHA512crypt, and underscores the importance of password management tools like EviPass.

Radeon City Specifications

Jeremi Gosney, a data security researcher, engineered a groundbreaking desktop rig that can swiftly dismantle older protocols. Leveraging the Open Computing Language (OpenCL) framework and Virtual OpenCL Open Cluster (VCL), Gosney deployed HashCat—a dedicated password-cracking program. The system comprises five quad-core servers, each housing 25 AMD Radeon GPUs, providing the immense computational power required for the task. These servers are interconnected with a 10 to 20 Gbps transfer rate facilitated by an Infiniband switch.

server filled with 25 AMD Radeon HD 7970 GPUs

Here’s a snapshot of Radeon City’s technical specifications:

  • Servers: 5
  • Graphics Cards: 25 AMD Radeon GPUs
  • Model: AMD Radeon HD7970
  • Memory: 3 GB GDDR5
  • Clock Speed: 925 MHz
  • Compute Units: 32
  • Stream Processors: 2048
  • Peak Performance: 3.79 TFLOPS
  • Virtualization Software: Virtual OpenCL (VCL)
  • Password-Cracking Software: ocl-Hashcat Plus
  • Cost: $30,000 (2012)

This powerhouse enables Radeon City to achieve unprecedented speeds in password cracking, making it a game-changer in the realm of data security.

Advantages and Disadvantages of Radeon City

Advantages:

  1. Power: Radeon City cracks passwords using both fast and slow algorithms.
  2. Flexibility: It executes a variety of attacks with extensive wordlists and complex rules.
  3. Innovation: Using virtualization technology, it overcomes hardware limitations.

Disadvantages:

  1. Cost: Building and operating Radeon City can be expensive, including high electricity costs.
  2. Noise: It generates significant noise, requiring specialized cooling and soundproofing.
  3. Ethical Considerations: While powerful, its capabilities raise ethical and legal questions about its potential misuse.

Simulation Parameters and Results

To calculate the estimated time required to find a 20-character code with 94 symbols, we used the formula:

a^b / (c * 2)

Where:

  • “a” represents the number of possible characters,
  • “b” denotes the number of characters in the password,
  • “c” indicates the number of hash calculations achievable per second.

By selecting 94 symbols, a password length of 20 characters, and a 50% probability of success compared to the theoretical result, our simulation yielded an astonishing result: 766.076,000,000,000,000 years or 766 trillion [5] years.

Understanding the Financial Implications

This simulation approach not only provides insights into the time required but also sheds light on the financial investments necessary to establish a computer system capable of cracking such a password.

Consider this: The reference computer, as configured by Gosney, relies on a pool of 25 virtual AMD GPUs to crack even robust passwords. Yet, a single unit of this type, priced at approximately $30,000 in 2012, can generate just 348 billion hashes of NTLM passwords per second. To achieve results within the realm of 766 trillion years, one would need to acquire multiple such machines.

Hence, to decipher only a 20-character password generated with EviPass technology, residing within an EviTag NFC HSM or EviCard NFC HSM device, an investment of nearly $25 billion would be required. A remarkable comparison, given that global military expenses were estimated at 1.7 billion dollars [6].

Beyond Brute Force

It’s important to note that this test focused solely on brute force attacks without taking into account the activation and utilization of additional countermeasures, such as physical blockchain and jamming, which will be explored in future articles.

A Point of Reference: ANSSI’s Simulator

To provide further context, we examined the ANSSI website [7], whose simulator is limited to 20 characters and 90 symbols. This simulator yielded a score of 130, the maximum attainable. This score places passwords of this nature on par with the smallest key size of the standard AES (128-bit) encryption algorithm. Notably, our password generators exceed this maximum, boasting 20 characters with 94 symbols [8].

Forming Your Own Opinion

The aim of this article is to empower you to form your own assessment of the resilience of our password generators against brute force attacks. While we are not the sole providers of powerful password generators, our test stands as a benchmark against other comparable implementations.

Ensuring Ongoing Security

Our embedded password generator undergoes regular updates to maintain its complexity and withstand the evolving landscape of brute force attacks. Our commitment is to enhance security without compromising user convenience—a complex yet vital undertaking.

Diverse Password Generation Options

Our password creation options offer versatility. Users can either select passwords from the pool of 95 available characters, opt for a semi-automatic generation followed by modification, or automate the process entirely according to default criteria, allowing passwords of up to 20 characters.

Adaptability to Website Constraints

For websites that impose restrictions on symbols or character limits, users can customize their password generation preferences, choosing between identifiers, letters, and/or numbers, with or without symbols.

Hexadecimal Generator for Added Utility

We’ve also introduced a hexadecimal generator to facilitate programming of digital codes. This feature proves invaluable in various domains, including electronics, electromechanics, and maintenance services, enabling the creation and modification of digital access codes with ease. Furthermore, codes can be securely shared with building residents through functions like “scrambling” or encryption via a QR Code, all made possible by EviCore technologies from Freemindtronic.

To learn more about our solutions, please visit:

Why does the Freemindtronic hardware wallet comply with the law?

Why the Freemindtronic Hardwares Wallet complies with directives, regulations and decrees

Freemindtronic hardwares wallet is having regard to Decree No. 2018-418 of 30 May 2018  resulting from Law No. 2016-1321 of 7 October 2016  for a Digital French Republic, relating to the modalities of implementation of the digital safe service. Unless we are mistaken, it appears that the innovative patented solutions of 100% electronic safes for offline use have not yet been regulated.

The electronic safe solutions that may be affected by the decree are non-exhaustively, EviCypher, EviTag, EviCard,  EviKey, EviDisk,  FullKey NFC,  EviKey & EviDisk

art. R. 55-1The decree provides a framework for the operation of digital safes. Thus, the provider of digital safes is required to inform the user in a clear, fair and transparent way about its service, prior to the conclusion of a contract. In particular, he must communicate

  • The type of space made available to it and the associated conditions of use;
  • The technical mechanisms used;
  • The Privacy Policy;
  • The existence and implementation of the guarantees of proper functioning.

Since Freemindtronic SL clearly tells users:

  • the pre-defined space available before the acquisition of the devices, as well as the possibility of checking for themselves the amount of memory used,
  • the terms of use are available invideos, at any time on the internet, via YouTube as well as through various publications written on the website,
  • that no material and/or digital information is collected in any way whatsoever, which consequently generates the total anonymity of the user,
  • the complete technical data sheets of the devices are available on the Freemindtronic SL website.
  • the implementation of the guarantee is published on the website. A large part of Freemindtronic SL solutions are guaranteed lifetime devices.

art. R. 55-3 – The said decree specifies that the integrity, availability and accuracy of the origin of the data and documents stored in the digital safe are guaranteed by appropriate security measures and in accordance with the state of the art.

Since Freemindtronic SL can guarantee users:

Data integrity, which is guaranteed by the manufacturer of STMicroelectronics components for at least 1 million error-free write cycles, and 40 years of data retention in non-volatile memory.

Their availability since Freemindtronic SL devices work without maintenance, without battery, by recovering electrical energy via the NFC signal of a smartphone. Thus, such a device allows users to access at any time, for at least 40 years, the data contained in the vault.

The accuracy of the origin of the data: it is the user himself who stores the data in the electronic memory of The Vaults of Freemindtronic SL

Memory access is physically locked by multiple hardware devices, such as a unique peering key with at least one user-defined administrator password. These security measures  implemented imply the material and/or digital impossibility of corrupting the backed up data. It will also be impossible for the manufacturer to be able to access the automatically encrypted contents of said memory of the device. It is specified that the user has additional functions that allow him to harden himself the level of security according to the use of Freemindtronic’s electronic safes.

art. R. 55-4 The said decree specifies that the traceability of the operations carried out on the data and documents stored in the digital safe require at least the implementation of the following measures:

  • The recording and timestamp of accesses and access attempts;
  • Recording operations affecting the content or organization of the user’s data and documents;
  • Recording maintenance operations affecting data and documents stored in digital vaults.
  • The retention periods of this traceability data constitute a mandatory mention of the contract for the provision of electronic safe services.

Since Freemindtronic’s electronic safes,

  • have a tamper-proof and non-modifiable black box. That this black box traces in particular the number of attempts to enter the administrator password and that this information is automatically saved in the black box.
  • manage the recording of data dynamically, machine to machine (M2M) between the NFC terminal and the NFC device. That the backup system is carried out in real time with the physical electronic memory of the device, on the volatile memory of the terminal, without preservation of this data.
  • have non-volatile memories, capable of retaining the data backed up by the user for at least 40 years, without the need for an electrical power source.
  • has certified documents from the manufacturer of the electronic components used by Freemindtronic SL in these devices which establish without a doubt that the average time between failures is estimated after a 1 million cycles of writes per memory block, no maintenance operation is necessary.

art. R. 55-5.- The said decree indicates that the identification of the user when accessing the digital safe service must be ensured by an electronic means of identification adapted to the security issues of the service.

Since Freemindtronic’s solutions have several identification parameters that can be predetermined by the user himself, namely: administrator password, user password, pairing of NFC terminals, enslavement to a geolocation point, encryption key, physical blockchain segments, password encryption keys, and a code for displaying and sharing data called jamming.

art. R. 55-6. The said decree, according to the guarantee, as provided for in 4 ° of Article L. 103, of the exclusivity of access to the documents and data of the user or to the data associated with the operation of the service requires at least the implementation of the following measures:

“1° An access control mechanism limiting the opening of the digital safe to only persons authorized by the user;

“2° Security measures to guarantee the confidentiality of stored documents and data as well as the corresponding metadata;

“(3) Encryption by the digital safe service of all documents and data stored by or transferred to or from the digital safe. This encryption must be carried out using cryptographic mechanisms in accordance with the state of the art and allow an evolution of the size of the keys and algorithms used.

Since Freemindtronic SL,

  • has implemented several security systems to protect the opening of the electronic safe:  physical, digital and human identification. The first check requires to know the physical pairing key of the device to authorize the connection with a computer terminal with NFC technology. The second control requires the user to know the administrator code that he himself has previously saved in the device to access the services. Other security systems can be added, forming a symmetric and/or asymmetric encryption key that, segmented into a physical blockchain in physical memory, makes access to encrypted data saved in physical memory totally inaccessible.
  • has implemented a multi-factor authentication method to simultaneously identify the terminal authorized to use the device and the user. This makes it possible to guarantee exclusive access to the backed-up data to the user and/or his/her rights holders.
  • has implemented a backup process by which all attached data and metadata are encrypted in the unconnected device that guarantees the confidentiality of the data stored in the electronic safe.
  • uses dynamically scalable encryption key sizes and uses qualified standardized standards, such as AES256-bit and/or RSA4096-bit keys. Said keys can themselves be encrypted in AES256 bits and segmented in a physical blockchain, in one or more separate devices. Such an implementation makes it impossible, at the known state of the art, to access the said keys or the possibility of guessing them via a brute force attack.

Decision of the Jaroch Technology Committee meeting on 12 June 2018,

Having regard to Decree No. 2018-418 of 30 May 2018 which will enter into force on 1 January 2019;

Where as Freemindtronic SL clearly indicates to users the conditions of use, the technical mechanisms used and the implementation of the guarantees associated with its electronic safe solutions;

Whereas appropriate security measures are implemented to guarantee the integrity, availability and accuracy of the origin of the data stored in the electronic safe;

Whereas the traceability of the operations carried out on the data stored in the electronic safe is effective;

During the Occitanie CyberMatines on LMI TV @lemondeinformatique april 22, 2020, Fullsecure conducted offline protection and physical use demonstrations of sensitive data such as passwords and encryption keys. The backup media in credit card or Tag formats operate without contact with a phone serving as an NFC terminal.

This demo shows an electronic self-connection system to a computer, a motherboard Bios, a Windows session and a VPN with the devices from Freemindtronic hardwares wallet & contactless virtual keyboard

Retrocompatible solutions for offline encryption of any type of data on computer and phone

Another demo shows how to encrypt any data on computer and smartphone, an operation compatible with all computer systems and messaging services, including SMS.

We are talking about compatible retro solutions that offer the advantage of securing the use of any type of computer hardware, computer, smartphone, software, application while maintaining maximum security of the use of sensitive data, whether personal or professional.

Finally, Fullsecure gives a tip to make a desktop “smart”: Secure the sensitive data of any computer discreetly, discreetly, thanks to its mini devices hardened in Pin’s format.

In addition, data sharing is contactless, reducing the risk of contagion during this period of pandemic due to Covid19. Indeed, it is enough to approach your smartphone to the Fullsecure device to manage and use the data contained in pin’s.

Fullsecure offers a wide range of products to meet data security needs in mobility and/or in the workplace.