flat assembler
Message board for the users of flat assembler.

Index > Heap > security, password, truecrypt, bruteforce

Goto page 1, 2, 3  Next
Author
Thread Post new topic Reply to topic
sleepsleep



Joined: 05 Oct 2006
Posts: 8885
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
could anyone share with me, how long and complex should our password go in order to protect a truecrypt volume or online forum, email login?

it seems to me, any password/hash (with much hours & faster computer) can be cracked.
Post 02 Dec 2011, 04:35
View user's profile Send private message Reply with quote
ManOfSteel



Joined: 02 Feb 2005
Posts: 1154
ManOfSteel
It also depends on the robustness of the algorithm, the resources available to the potential attacker (e.g. script kiddie VS security services), the security of the physical location where the data is stored, the amount of data encrypted (encrypted volume entirely encrypted VS forum or mail server that only encrypts passwords), etc.
Post 02 Dec 2011, 08:19
View user's profile Send private message Reply with quote
bitshifter



Joined: 04 Dec 2007
Posts: 764
Location: Massachusetts, USA
bitshifter
Joke i read yesterday, had to share it Smile

A:\> Please enter password: PENIS

*** INVALID PASSWORD -- TOO SMALL ***

Hehe, ok now on more serious note:
CPU are slow compared to modern GPU
So now we use GPU to crack such things.
Post 02 Dec 2011, 08:33
View user's profile Send private message Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3500
Location: Bulgaria
JohnFound
sleepsleep, truecrypt provides strong encrypting algorithms. So, it depends on your password quality. If it is "god" or "password" it will be decrypted for seconds. If it is at least 12..16 chars, contains mix of capital and regular letters, digits and special symbols (like @#$%^&*_|+!) it will be not possible to be decrypted using brute force algorithms at all.
Of course, every password can be decrypted using rubber-hose cryptanalysis Twisted Evil
Post 02 Dec 2011, 08:39
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8885
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
JohnFound,

using ophcrack open my windows box makes me realize that, it seems there is no security at all Sad

and bruteforce truecrypt tools almost easily available on internet.

and what is good password?
i mean? because we need more than 1 strong password,

maybe 10 to 15 (and should be unrelated) password for website, tools, application, anything that we use
Post 02 Dec 2011, 15:45
View user's profile Send private message Reply with quote
TmX



Joined: 02 Mar 2006
Posts: 821
Location: Jakarta, Indonesia
TmX
Hmm... reminds me of Password Strength
Post 03 Dec 2011, 00:48
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
just try hard at first time, and remember some strong pass for yourself to use. for example, I was studying to remember 30 word/number/symbol passw and using it there, where I have secret information Very Happy
Post 03 Dec 2011, 06:37
View user's profile Send private message Reply with quote
Tyler



Joined: 19 Nov 2009
Posts: 1216
Location: NC, USA
Tyler
Take a term from a topic you know well and modify it by adding symbols and extra meaning. For example, I like math, so I might use a password like "G0oldenRati0=1.618."
Post 03 Dec 2011, 20:30
View user's profile Send private message Reply with quote
nop



Joined: 01 Sep 2008
Posts: 165
Location: right here left there
nop
Tyler wrote:
I might use a password like "G0oldenRati0=1.618."
so you did but i bet u dont know what your password is now Razz
Post 03 Dec 2011, 21:23
View user's profile Send private message Reply with quote
Enko



Joined: 03 Apr 2007
Posts: 678
Location: Mar del Plata
Enko
nop wrote:
Tyler wrote:
I might use a password like "G0oldenRati0=1.618."
so you did but i bet u dont know what your password is now Razz

lol

I like to use sometimes keyboard combinations.
used to play guitar, so I have "good" "finger" memory.

I dont mean:
qwerty_asdfg_zxcvb
but a little bit complex combination (single handed, left hand)
faszr tdfs rwtfs vqtcr
this way, I don´t know what it means, and if you change a keyboard, perhaps I whouldnt "remember" the password

Then you can add some special characters in the middle.


and yes, thares lot of GPU bruteforce.
For unlocking the latest nokia phones with simlock3, you read the hash from the phone, the imei and with crossfire 2 ati latest gpu you can bruteforce the code in 24hs.

regards
Post 03 Dec 2011, 21:51
View user's profile Send private message Reply with quote
Matrix



Joined: 04 Sep 2004
Posts: 1171
Location: Overflow
Matrix
sleepsleep wrote:
could anyone share with me, how long and complex should our password go in order to protect a truecrypt volume or online forum, email login?

it seems to me, any password/hash (with much hours & faster computer) can be cracked.


well if you use AES256-CBC-ESSIV then you have a 256 bit encryption, your key size is 256 bit or 512 bit preferably, usually generated with RIPEMD160
so to get 256 bit entropy you have to use more ascii characters, or use special characters too, not just letters and numbers.

if you do not use any words from any language then we can say you have at most 7 bits entropy per character in your password, (you can always use more than needed).
So for 512 bit key size you need at least 73 characters to get your entropy right, for 256 bit hash - 36 characters.

BTW.: i prefer DM-Crypt
Post 04 Dec 2011, 13:43
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17271
Location: In your JS exploiting you and your system
revolution
Firstly, don't think of it as a password, instead think of it as a passphrase. String together a few random words (4 to 6 words is usually a good place to start), sprinkle in a some camel case and you've got a good quality passphrase.

Secondly, the AES algo is strong enough that currently no one with proper intent will seriously consider even bothering to crack the algo. All seriously attempts currently try to use passphrase guessing/brute forcing.

The rubberhose thing may be a concern but is probably unlikely unless you are in some specific situation, in which case we can't really advise you here.

A further concern might be keyloggers, and these are probably the only practical way someone will get a good quality passphrase so this is perhaps the only real threat you will likely encounter in a normal everyday circumstance.
Post 09 Dec 2011, 20:02
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8885
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
shit happened, bad news or site defacement?
http://truecrypt.sourceforge.net/

Image
Post 28 May 2014, 20:23
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17271
Location: In your JS exploiting you and your system
revolution
It doesn't make sense that they would suggest bitlocker which is closed source and unaudited. There are reports that the download on the sourceforge page has malware so I would suspect this has been compromised.
Post 29 May 2014, 00:40
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
why not use UNICODE passwords then
Post 29 May 2014, 00:44
View user's profile Send private message Reply with quote
m3ntal



Joined: 08 Dec 2013
Posts: 296
m3ntal
How about a visual password that contains images of your favorite animals, fruits, shapes, colors, etc? Example: Tiger, Star, Black, Cross, Dragon.
Post 29 May 2014, 01:07
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
m3ntal wrote:
How about a visual password that contains images of your favorite animals, fruits, shapes, colors, etc? Example: Tiger, Star, Black, Cross, Dragon.


Sure, I'll just invite you over for a nice barbecue and a cold beer then ask you what your favorite animals are.

I know two of your favorite animals on your list are dogs and chimpanzees.
Post 29 May 2014, 01:18
View user's profile Send private message Reply with quote
m3ntal



Joined: 08 Dec 2013
Posts: 296
m3ntal
You wouldn't know the types of symbols - shapes, signs, animals, nature, trees, planets, cars, logic gates, music notes, astrology signs, etc - how many there are, how they are arranged, categorized and stored.
Post 29 May 2014, 01:59
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
m3ntal wrote:
You wouldn't know the types of symbols - shapes, signs, animals, nature, trees, planets, cars, logic gates, music notes, astrology signs, etc - how many there are, how they are arranged, categorized and stored.


Trust me, Budweiser makes social engineering so much easier.
Post 29 May 2014, 02:33
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8885
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
sounds like real news now,
http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/

Quote:

That was the same conclusion reached by Matthew Green, a cryptographer and research professor at the Johns Hopkins University Information Security Institute and a longtime skeptic of TrueCrypt — which has been developed for the past 10 years by a team of anonymous coders who appear to have worked diligently to keep their identities hidden.

“I think the TrueCrypt team did this,” Green said in a phone interview. “They decided to quit and this is their signature way of doing it.”
Post 29 May 2014, 11:19
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2, 3  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.