flat assembler
Message board for the users of flat assembler.

Index > Heap > security, password, truecrypt, bruteforce

Goto page Previous  1, 2, 3  Next
Author
Thread Post new topic Reply to topic
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17248
Location: In your JS exploiting you and your system
revolution
sleepsleep wrote:
sounds like real news now,
If true then sad news indeed. Looks like I'll have to stick with v7.1a forever.
Post 29 May 2014, 11:32
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8866
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
maybe revolution, you could come up with a new truecyprt alternative?
i believe you are capable to code it... sincerely,!!
Post 29 May 2014, 13:50
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17248
Location: In your JS exploiting you and your system
revolution
v7.1a is still a fine package. No need to go reinventing the wheel here. Just avoid "upgrading" to v7.2.
Post 29 May 2014, 14:33
View user's profile Send private message Visit poster's website Reply with quote
m3ntal



Joined: 08 Dec 2013
Posts: 296
m3ntal
sleep: You believe anything.

If sleep was an employer, he'd hire anyone who kisses ass, anyone who he likes personally. Who cares how well you do programming? People like him are the reason the programming industry is so f@cked up.

If I was the employer, you'd have to be good like Tomasz to be employed as a programmer and prove your ability to write code with examples. Good programmers are hard to find.
Post 29 May 2014, 17:02
View user's profile Send private message Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22
*WARNING the following advice will blow your mind be prepared*
Best password: Copy & Paste non-breaking-space (character code 160) X times, where X is your favorite number. Don't forgot to print out a copy.
Post 29 May 2014, 18:19
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
r22 wrote:
*WARNING the following advice will blow your mind be prepared*
Best password: Copy & Paste non-breaking-space (character code 160) X times, where X is your favorite number. Don't forgot to print out a copy.


Again, a nice bottle of beer can extract that number from your head.
Post 29 May 2014, 18:59
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8866
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
hi m3ntal,
perhaps i am biased, but if according to your idea, only genius could survive, then how about those who are not so lucky to have good education. good family, good friends, in the first place?
Post 29 May 2014, 20:07
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17248
Location: In your JS exploiting you and your system
revolution
r22 wrote:
*WARNING the following advice will blow your mind be prepared*
Best password: Copy & Paste non-breaking-space (character code 160) X times, where X is your favorite number. Don't forgot to print out a copy.
Here is a copy of my password printed out in this forum so I don't forget it:
Code:
                                                                                                                                                                    
The voices in my head wrote:
Again, a sharp bottle of beer can extract that number from your head.
Sounds rather gruesome.
Post 29 May 2014, 20:22
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17248
Location: In your JS exploiting you and your system
revolution
sleepsleep wrote:
hi m3ntal,
perhaps i am biased, but if according to your idea, only genius could survive, then how about those who are not so lucky to have good education. good family, good friends, in the first place?
I think m3ntal doesn't understand that programming has very little to do with how one programs. It is all about how well we can bullshit our boss into thinking we are working.
Post 29 May 2014, 20:25
View user's profile Send private message Visit poster's website Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22
revolution wrote:
sleepsleep wrote:
hi m3ntal,
perhaps i am biased, but if according to your idea, only genius could survive, then how about those who are not so lucky to have good education. good family, good friends, in the first place?
I think m3ntal doesn't understand that programming has very little to do with how one programs. It is all about how well we can bullshit our boss into thinking we are working.

That reminds me I need to update the sign...
Quote:
It's been *17* days without an infinite loop in production
Post 30 May 2014, 11:55
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17248
Location: In your JS exploiting you and your system
revolution
revolution wrote:
v7.1a is still a fine package. No need to go reinventing the wheel here. Just avoid "upgrading" to v7.2.
Maybe a TrueCrypt fork is on the horizon?
http://www.esecurityplanet.com/open-source-security/truecrypt-getting-a-new-life.html
Quote:
What will CipherShed 1.0 be like? Will it add more features to the existing product? Doekbrijder said the new code will be faster and more secure, work with new operating systems like Windows 8, and also be backward compatible so it can open old TrueCrypt containers.

"But we are not thinking of adding functionality," he said. "It will be more about stripping functionality - removing old crypto modules that are not sound and so on. But when newer crypto algorithms come along, we will integrate them into the product."
Post 20 Sep 2014, 11:41
View user's profile Send private message Visit poster's website Reply with quote
Matrix



Joined: 04 Sep 2004
Posts: 1171
Location: Overflow
Matrix
Hi guys, i'd like to share this with you

creating a crypted volume:

Code:
#!/bin/bash

#script badcrypt.sh or whatever you want.
#usage:
# badcrypt.sh mount device mountpoint
# badcrypt.sh umount device mountpoint
# badcrypt.sh create device mountpoint (this destroys everything on the device)

#use your preferred encryption logic you use whatever, but...
# aes-cbc-essiv:sha256
# serpent-cbc-essiv:sha256
# serpent-xts-plain:sha256

printstat()
{
printf  "dmsetup ls\n"
dmsetup ls
printf  "dmsetup table\n"
dmsetup table
printf  "dmsetup status\n"
dmsetup status
}
if [ "$1" == "create" ];then
{
printf "filling device "$2" with random data...\n"
#dd if=/dev/urandom bs=64M of="$2"

#printf "creating loopdevice...\n"
#losetup /dev/loop0 ./serpent.img
#printf "pass" | cryptsetup -c serpent-xts-plain:sha256 -s 512 -h ripemd160 create "$2"_decrypt "$2"
cryptsetup --verbose -c serpent-xts-plain:sha256 -s 512 -h ripemd160 create "$crypteddev"_asd "$2"
printf "creating ext4fs...\n"
mkfs.ext4 /dev/mapper/"$crypteddev"_asd
printstat
[ ! -d "$3" ] && mkdir "$3"
mount /dev/mapper/"$crypteddev"_asd "$3"
exit
}
fi

#unmounting
if [ "$1" == "mount" ];then
{
#printf "creating loopdevice...\n"
#losetup /dev/loop0 ./serpent.img
#printf "pass" | cryptsetup -c serpent-xts-plain:sha256 -s 512 -h ripemd160 create "$2"_asd "$2"
cryptsetup --verbose -c serpent-xts-plain:sha256 -s 512 -h ripemd160 create "$crypteddev"_asd "$2"
printstat
[ ! -d "$3" ] && mkdir "$3"
mount /dev/mapper/"$crypteddev"_asd "$3"
exit
}
fi


#mounting is this simple:
if [ "$1" == "umount" ];then
{
umount "$3"
cryptsetup remove "$crypteddev"_asd
#losetup -d "$2"
#rm -rf ./serpent.img
exit
}
fi

#use -s keysize the largest acepted, min 256. and your passphrase must contain more entropy than the keysize can hold. 30-60 different characters is acceptable.
#for testing and playing around uncomment the loopdevice lines

    


DMCrypt
forget LUKS Wink
Post 20 Sep 2014, 14:46
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Post 20 Sep 2014, 15:55
View user's profile Send private message Reply with quote
Matrix



Joined: 04 Sep 2004
Posts: 1171
Location: Overflow
Matrix


wow, that page is funny Smile

btw echelon always had on-the-fly ssl decrypter and skype decrypter and etc...
The use of a non altered encryption software is strongly discouraged, it is a suspicious (terrorist) activity.
Post 20 Sep 2014, 16:45
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17248
Location: In your JS exploiting you and your system
revolution
And so the audit resumes.

http://www.theregister.co.uk/2015/02/20/auditors_to_again_peer_into_murky_truecrypt/

Will the result turn up a GCHQ/NSA backdoor? OR will it come up clean with perhaps a few non-serious recommendations for improvement? Time will tell.
Post 22 Feb 2015, 14:39
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8866
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
here a little bit of latest news regarding auditing truecrypt.

http://blog.cryptographyengineering.com/2015/04/truecrypt-report.html
Post 02 Apr 2015, 16:10
View user's profile Send private message Reply with quote
HaHaAnonymous



Joined: 02 Dec 2012
Posts: 1180
Location: Unknown
HaHaAnonymous
Quote:

it will be not possible to be decrypted using brute force algorithms at all.

It will still be possible because the possible combinations are limited. Then you can check one by one till the correct is found. Unsurprisingly, this can take a few days (or even seconds) if secret hardware is used - or do you think they will let ordinary people know the best they have!?.

If not, please explain.

Quote:

If it is at least 12..16 chars, contains mix of capital and regular letters, digits and special symbols (like @#$%^&*_|+!)

Why not use a "binary" password instead of being limited to few possible characters? I think everyone should use a sequence of bytes ($00-$FF) as password and it must contain at least 200 different characters for a 256 bytes password.

Then all you have to do is memorize that sequence and do not store it anywhere it is not your brain. This is assuming your brain cannot be disassembled/read and your password stolen, otherwise the safest alternative would probably be to write your password on a piece of paper and store it on a secret location on this planet (or other planets outside Earth and undiscovered by NASA if possible).

The only drawback I see is that most programs do not provide an easy way for users to enter a "binary" password. As trivial as it is, they still refuse to implement that... A good example is "Microsoft's Windows Notepad", why they do not implement an end of line conversion for that!? As a result, files encoded in LF appears as they had no lines at all. And as a result, every time I need to share a text file with a Windows user I have to convert the end of line mode to CRLF because Microsoft cannot waste a few seconds to implement this seamless feature in Notepad. REVOLTING! D:
Post 02 Apr 2015, 19:03
View user's profile Send private message Reply with quote
redsock



Joined: 09 Oct 2009
Posts: 357
Location: Australia
redsock
12..16 chars, alphanumeric and special symbols gives us about 80 different symbols... and since they are not combinatorial, the math is really 80**12 of possible combinations. Brute force typically requires half the solution space, so if you figure half of 80**12 for a 12 char passphrase that is still:

34,359,738,368,000,000,000,000

even at a rate of 1 billion attempts per second, that requires 34,359,738,368,000 seconds, or 397,682,157 days, just over a million years.

I find it much easier to argue using a sufficiently large number as an example as it is much easier to imagine the brute force requirements when dealing with say a 12 digit number rather than 12 chars of 80 possible symbols.

Either way, you are up into crazy realms unless you can cheat (dictionaries, partial known passphrase components, etc).

This image has been around for ages, but also covers password complexity nicely, hahah:

Image
Post 02 Apr 2015, 20:16
View user's profile Send private message Reply with quote
HaHaAnonymous



Joined: 02 Dec 2012
Posts: 1180
Location: Unknown
HaHaAnonymous
[ Post removed by author. ]


Last edited by HaHaAnonymous on 13 Sep 2015, 16:27; edited 1 time in total
Post 02 Apr 2015, 21:01
View user's profile Send private message Reply with quote
redsock



Joined: 09 Oct 2009
Posts: 357
Location: Australia
redsock
HaHaAnonymous wrote:
Then, you mean a random sequence of 2048 bits would be easier for the computer to guess than a sequence of 32 words - like those which can be found in a dictionary - joined together with 8 bytes each!?
Considering that 2**128 is not considered reasonable for brute forcing purposes, 2048 bits is grossly overkill.

The point of that image is simply that most passwords are actually based on some non-gibberish/non-random base word with a few added digits/symbols. So if you consider that a decent word dictionary before substitutions and symbol additions might contain 1,000,000 words, that is only 20 bits to try each one, then you might do a number and a symbol, each which only complicates the base word by 10 or so each, and around 6 more or so for "common substitutions", so while it may look like a decent password, the compexity of them is quite low (compared to the 12 actual randomly chosen 80 symbol base from my last post)...

1,000,000 x 6 or so for common substitutions: 6M
say 15 or so for an extra symbol
and 10 or so for an extra trailing digit, thus:
6M * 15 * 10 == 900,000,000

A much more reasonable number to attempt via brute force. Not many people can do random binary passwords, and sufficient entropy to completely prevent brute force requires a minimum of 80 bits (IMO, more is better, but doesn't need to be extreme).

The site at https://hashcat.net/ is an interesting (and quite heavy duty) project for brute forcing, have a read Smile
Post 02 Apr 2015, 21:48
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.