polymorphic cipher

[tuatara]

It seems fair to assume that they can decrypt most encrypted data, by brute-forcing with that computer power.
Most passwords are in the top million used passwords.
Long passwords are often sentences which must be setup in a way that a human must be able to remember, that narrows down the available passwords a lot.
The methods used by people to create new passwords is not very long.
If you create a brute force engine that works it's way through this list
combined with the normal dictionaries etc it must be very easy for them to
decrypt a large percentage of all AES-256 encrypted archives. Especially when well known or very short passwords are used.
Of course if you are smart you can make it more difficult.
but just imagine, if they would try to brute force let's say 10000 truecrypt encrypted
Archives or zipfiles each of another average encryption user, how many do you think can be decrypted easy this way?
From the things i've seen , i expect a lot.
Of course i oversimplified this a bit, but you know what i mean.

[Tomwa]

Im presently using a 63 Character Random ASCII password from:
https://www.grc.com/passwords.htm

(I actually took bits and pieces from the keys and switched them around).

I doubt I'll have to worry about anyone brute forcing my password anytime soon.

Though I could still be brute forced I suppose via $5 wrench method.

Perhaps users need to start beating themselves with wrenches to prepare themselves?

[tuatara]

X942, is there any news yet?

After i was looking at things like this, i became convinced that both ciphers can not be cracked yet,
but brute forcing is a serious risk:

-http://www.youtube.com/watch?v=GzDbvd5knmQ-

And this:

-http://www.youtube.com/watch?v=0WPny7wk960-

With TurboCrypt it takes a lot longer to brute force the same dictionary as with TrueCrypt/AES for example.

Passwords longer then 20 chars and no dictionary words in it,
or without simple replacements like 'a' to '@' and 'o' to '0' are impossible to remember for the average user.
63 characters is very funny, but i expect that you are not happy when there are new windows updates and you have to restart your pc a few times

Or a traveler with an encrypted notebook.

For the record, this is about the brute force risk in general,
and if such an attack was done on TurboCrypt or TrueCrypt with AES.

And although you can use very long generated password most users will not do that,
Because they will have no easy way to remember or to enter this at every pc boot.
For example if you have a company that has 100 sales persons traveling the globe with their encypted notebooks
What will the passwords look like do you think?

Brute forcing , hacking and malware attacks are the most often used methods of attack
Not trying to crack the ciphers

[Hungry Man]

Quote:

Brute forcing , hacking and malware attacks are the most often used methods of attack
Not trying to crack the ciphers

Bruteforcing and keylogging are pretty much the only ways to get in.

As for bruteforce time it's really not an issue. 8 characters lower case is going to be more than a desktop can crack in any reasonable amount of time. 12 is fine.

An average user doesn't have to remember anything complicated.

Dictionary cracking is largely misunderstood. People think that if I have:
catdogemugoat my password is insecure because it's just words. This isn't the case. Dictionary attacks only ever attack a single word + variations of the word.

It's very simple for a user to remember a very very strong password and if you're using SHA512 (default for Truecrypt) to generate a key (or pbkf2 stretching like LastPass) there's just no practicality in bruteforcing.

The problem is not that users aren't using 20 character passwords its that their passwords are "password123" or "<username>123" etc.

[tuatara]

Quote:

Hungry Man wrote:
As for bruteforce time it's really not an issue.

It is the only issue, the more possible passwords combinations i can test in a certain time frame or within certain cpu time,
the higher the risk to find/crack the password.

Quote:

8 characters lower case is going to be more than a desktop can crack in any reasonable amount of time. 12 is fine.

A common misunderstand, please recheck the YouTube movies in my previous post.

That would only be true if your dictionary contains only smaller words,names etc.
And you must including the extra numbers or chars attached to it.

A good example is one of the 1000 most used passwords i collected for research, it contains 18 chars, i will find this by brute forcing in seconds, because it is ranked very high on my brute force dictionary.

For the record, be careful what you call safe, someone's life in any country may one day depend on it

Anyway see what TrueCrypt recommends:

[tuatara]

Quote:

Hungry Man wrote:
The problem is not that users aren't using 20 character passwords its that their passwords are "password123" or "<username>123" etc.

YES !!!

You are exactly spot on, that is the problem.

But to be honest, the other part of it is how to remember a generated password and how to enter that at every boot?

Again, assume you are an IT man of a company with 100 sales persons that travel the world with encrypted notebooks disks.
And each of these have to enter a password like this at every notebook boot:

For the record, this is the smallest recommend password length:
<12345678901234567890>

So this would be a good password don't you agree?:
Password is: @aP(~7>FS2k$.P{']Q_sPtC|!

That will cause you and these sales colleagues some serious headache don't you think?

[Hungry Man]

Quote:

That will cause you and these sales colleagues some serious headache don't you think?

Anyone suggesting that you need a password like that is confused. The only time you should have a long password is when you can't verify how your data is being encrypted.

DogShake52591 - two random words and a birthday I made up. Easy to remember and no one's bruteforcing or getting in through dictionary attacks.

You can go crazy and add an exclamation point at the end.

That is all it takes.

Quote:

A common misunderstand, please recheck the YouTube movies in my previous post.

You're still confused.

I only have a few minutes so I'll make it quick.

I don't care if your password is a million characters if it's on someone's dictionary it'll take no time to crack.

That doesn't matter. Dictionary attacks don't mix and match words and numbers. It's simple as hell to stop one from working. The password above is not vulnerable and it's easy to remember. Bruteforcing it would be incredibly impractical. I believe it's 13 characters... 14 with a '!' and the character set is large (Assuming the attacker knows the set.)

[tuatara]

Quote:

That doesn't matter. Dictionary attacks don't mix and match words and numbers.

You are right, but everyone who is really using brute forcing ,see the mentioned youTube vids, does.

Even so, i do respect your different but perhaps dangerous opinion.

And you don't have to believe me but "DogShake52591" is ..
just as the makers of TrueCrypt wrote -> unsafe!

So you don't have to agree with the developers of TrueCrypt or me,
but i will not recomend using a password like this, if your life could be at stake.

And of course you are right, not if you are using a dictionary only brute force attack, with a simple 1 cpu pc.

But most certainly if the other party is using hardware like this:
PLEASE LISTEN TO THE BRUTE FORCE SPECS:
-http://www.youtube.com/watch?v=A5RwZz9UPUs-
or setup like this in another country with even more CPU/GPU power

Of course this platform is not listed in the http://www.top500.org , but since a lot of the top 10 of those are not located in the US,
one might expect platforms like the above these countries as well, and perhaps even in countries where you don't expect this at all.

Your password example is ranked very high in the password creation method ranking list,
Just below <word><number> and <Word with a Capital first char><number> and <word><word><number>
You are using <Word with a Capital first char><Word with a Capital first char><number>

Of course the English Dictionary is very tiny for brute forcers on this scale.
And how many English words do we really use ? -> just 17,000 : http://iteslj.org/Articles/Cervatiuc...quisition.html

You can expect these 17000 to be highest in the word ranking, besides names etc of course.

[Hungry Man]

I suggest you use something other than youtube videos and truecrypt help pages to learn about cryptography.

[tuatara]

Hi Hungry Man,

Thanks for your very good suggestion, I agree and i did.
Although i find the youtube videos of these Unversity studies quite informative.
And no i will not make any of these kind of suggestions in your direction.

But to get back on topic, i am glad that everbody seems to agree here on the fact that the Polymorphic cipher takes unbelievable much longer to brute force.
And thus seems to be a stronger cipher against these kind of attacks.

And that this Polymorphic cipher or the TurboCrypt encryption software using this, even after the sources handed over, is still standing strong.

But on the other hand, X942 may have different results any day now.

Btw thnx for those that refered me to other ciphers and software, there are more out there then i ever knew.

[berndroellgen]

tuatara, you hit the nail on the head.

Quote:

Originally Posted by tuatara

And you don't have to believe me but "DogShake52591" is ..
just as the makers of TrueCrypt wrote -> unsafe!
...
PLEASE LISTEN TO THE BRUTE FORCE SPECS:
-http://www.youtube.com/watch?v=A5RwZz9UPUs-
or setup like this in another country with even more CPU/GPU power

Of course this platform is not listed in the http://www.top500.org , but since a lot of the top 10 of those are not located in the US,
one might expect platforms like the above these countries as well, and perhaps even in countries where you don't expect this at all.

Your password example is ranked very high in the password creation method ranking list,
Just below <word><number> and <Word with a Capital first char><number> and <word><word><number>
You are using <Word with a Capital first char><Word with a Capital first char><number>
...

If only 10% of all passwords can be attacked with a certain technique that allows to do this without anybody else knowing, ANY organization who's job it is to spy on people will employ that technique.
That's pure logic.

[EncryptedBytes]

Quote:

Originally Posted by Hungry Man

DogShake52591 - two random words and a birthday I made up. Easy to remember and no one's bruteforcing or getting in through dictionary attacks.

Just added DogShake52591 to my word list

[Hungry Man]

Foiled again.

[happyyarou666]

lols xD