Hi,

You guys stated "We're talking hundreds of billions of guesses per second in many cases."
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/introducing-password-cracking-manager-crackq/

Only that?

For each password, "Multi One Password" tool uses by default a random 248 long characters salt that contains (uppercase\lowercase\digit) characters only and a random 128 long characters salt that contains hex symbols only!

So, here is a quick demonstration on how "hundreds of billions of guesses per second" is really nothing:

999 000 000 000 guesses in 1 second! (999 Billions!)

100000000 seconds = 3.1709791984 years

16^128 (All the 128 possible combinations between the 16 hex symbols!)
62^248 (All the 248 possible combinations between (Uppercase\Lowercase\Digit) chars!)

---

999 000 000 000 x 100000000 = below

99 900 000 000 000 000 000 guesses in 3 years!

16^128 = 1.340781e+154 = below

13407810000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Even in 3 years you are far far away to guess all the (16^128) possibilities alone!

Well, for (62^248) which is "Infinity" or "Error" in some calculators, I wish you Good Luck!

---

RTX 2080 Ti GPU (Year 2018, $999 US Dollars)

10 x RTX 2080 Ti GPU ($9 990 US Dollars) can guess 25054.2 MH/s SHA2-512 ~= 25 Billions per second!
https://www.onlinehashcrack.com/tools-benchmark-hashcat-gtx-1080-ti-1070-ti.php#

It means that 100 x RTX 2080 Ti Gpu ($99 900 US Dollars) can guess 250 Billions! (Still less than 999 Billions!)

---

By the way, I would like you guys to crack the below hash string generated in "Multi One Password" tool!

58530dfe0bc9c45fc074f56bb05a4d991cc9aa38144774b3014277ae353d7fa0a18aa6b6a33bf7b76ca313c3aa3f8d0e9913e7fcefab3dd3f0461a68a40bb587

The password is 10 characters long and contains only lowercase chars!

(Note) From the demonstration above, it would take you far and far more than 3 years to find the original password!

for aaaaaaaaaa + (16^128 + 62^248) = An Eternity
+
for aaaaaaaaab + (16^128 + 62^248) = An Eternity
+
for aaaaaaaaac + (16^128 + 62^248) = An Eternity
+...
for zzzzzzzzzz + (16^128 + 62^248) = An Eternity

Even if the "Random Code (Salt)" was made available to you guys, it would still be almost impossible for you to crack the above SHA512 hashed string because "Multi One Password" tool uses by default 15000 to 16000 iterations!

15000 iterations requires at least 1 second for the "Final Password" to be generated! (For average computers!)

26^10 (All the 10 possible combinations between the 26 Lowercase characters!)

26^10 = 1.411671e+14 = 141167100000000 total guesses

141167100000000 x 1 second = 141167100000000 seconds = 4476379 years

So, it would take you guys 4476379 years to crack the SHA512 hashed string above even if the "Random Code (Salt)" was made available to you! (well for 25000 or higher iterations even an eternity wouldn't be enough!)

[Note]:

for 15000 iterations, a super server can generate "Final Passwords" in 1 milliseconds = 0.001 seconds
141167100000000 x 0.001 second = 141167100000 seconds = 4476 years

for 15000 iterations, a super server can generate "Final Passwords" in 0.1 milliseconds = 0.0001 seconds
141167100000000 x 0.0001 second = 14116710000 seconds = 447 years

and son on ...!

---

Since 18 Feb 2020, TeraHash(Click here) still didn't crack the bellow 1 character long SHA512 hashed password (which is a lowercase letter) with its $1.4 Million configuration of 448 x GeForce RTX 2080 GPUs:

6d78101f3965681a61ab72365de3f9052d6da65f5a42ea6d4a6e68f02b81d32825388837ee9d61e5314cfca90d5638316c1465634fcad42c8cf1a744cc924947

That's really embarrassing!

This is clearly a poorly-disguised attempt at advertising for a commercial product, similar to what someone (perhaps you?) tried to do here:

https://www.reddit.com/r/sysadmin/comments/dx0c03/multi_one_password/

It's also a complete violation of Kerckhoffs' Principle, and also completely misunderstands how password cracking works, but that's a different story.

@roycewilliams

It's just a demonstration on how "hundreds of billions of guesses per second" is really nothing compared with the way "Multi One Password" tool hashes passwords!