Can AES-256 be broken?

Ok cheers big ears Thanks.

 

I should also mention something known as a "dictionary attack" just in case you don't know what a truly random password is. You shouldn't use words or common variations of words in your password. That makes it much easier to break the password.

You should try to string together random letters and numbers if possible. If you want to use common variations of words, you should make your password longer to achieve the same entropy. You also shouldn't use variations of your name, birthday, SSN, etc. If you do, you should make the password longer to achieve the same entropy. Any patterns in your password will decrease the entropy and require it to be longer.

 

Something you might find far better for your use (saving banking information in a file) you may want to check out TrueCrypt.

Uses AES, will allow you to use the full 64 bits even with a shorter password by using a keyfile. (or multiple keyfiles)

Anything written to a TC container is not written in plaintext anywhere, unless you move it out of the container. Or, if Windows puts it somewhere, like temp directories. But for the most part, unless you drag the file out of your container it will not be written. It is effectively like a virtual hard drive thats encrypted.

 

Thanks, I looked into Truecrypt, but I will just keep using 7z and AES-256 as I have learned from the contributions from others that it will suffice for my situation.

Besides I cannot afford to have any more services running on my 1GB laptop running Vista, so Truecrypt is out of the question because it means taking more of my RAM and resources.

Thanks anyway.

 

If you want to store banking information, another alternative is to use keepass or password safe.

 

Thank you. I read about keypass and it also uses the 256 encryption but also in addition it creates a KEY like PGP does for me on Linux.

So thanks huangker, I will use keepass from now on

UPDATE: To be honest, I been looking at this program and I love keepass now. It's a very funky and sexy program. Thanks again.

 

Glad to be of help. I'm just relieved that I don't have to crack your Keepass file .

Also as a tip, I also back up the file online so that I never lose it.

I use mozy. You can get 2GB for free.

Below is a link that has my referrer code. If you sign up using this link, both you and I will get an additional 250megs.

https://mozy.com/?code=PH3A86

 

I have a 30 character password now that contains letters and numbers and spaces. And I know the 30 word password off by heart too So with a 30 character password and the KEY needed to access my database, good luck to anyone trying to do so lol

And I already have a ftp server that I use to backup some important files, so sorry, I dont want to use mozy. I also actually use my mobile phone as a backup medium. I transfer the keepass database and some other files to my mobile phone using bluetooth. My phone has 2GB card in it so I have plenty of room. And I always make a backup onto DVD too of all my important stuff. And I use Acronis Trueimage 11 to backup my whole partitions.

What exactly is mozy anyway? Don't they just offer you 2GB hard drive space and you upload to their server? Can't you do the same with your ISP account, and zip all your files and then upload to your own server space?

Just one quick question... Whenever I create a new entry, the program automatically enters a password for me. Do you know how to stop that from happening as I always have to delete it, because I want to enter my own passwords into new entries.

 

Mozy is online back. It is set and forget. You select the folder/files/file types you want to back up and schedule it.

I use it as part of my back up strategy. Monthly images and nightly mozy backups of my documents.

No worries about not using it. I'm not short space or anything. When you see my promoting it as a new thread, you will know that I've filled it up

Re your question, I've never configured it that way and don't know how. The idea is that you use a different password for each site/account. All you need to know is your master password.

 

Man I am loving keepass, thanks again for recommending it.

By the way, I clicked on the link you gave me and signed up for mozy. I did it as reciprocation for you recommending keepass. BUt for your record, it seemed to take me to another page after I entered your link, so it may not register as you recommended me. YOu better email them and make sure you got your extra 250MB.

Do you need me to email them and tell them that "huangker" refered me?

 

But with Keypass, you still have to type in a password, right? And if you have a keylogeer or something, or screenshot, then that one password will reveal all. Am I correct?

 

This can be avoided with password+keyfile.
Or using "Neo's safekeys" for typing the password

 

I myself do not have any keyloggers on my Vista, but if I ever did, then it wouldn't matter as I also created a seperate KEY that is stored on my USB stick, that they would need to open my keepass database. So even if they used a keylogger to get my password and then somehow successfully downloaded my keepass database to their PC, they would still also have to work out how to download my KEY.

Which brings me to a question...... Do such things exist that keylog whatever you type and then also downloads your keepass database and keepass KEY that is stored on the PC HDD?

And what exactly is "Neo's safekeys"? Is that a program you run on Windows that distorts all you type at the keyboard?

What is the official "Neo's safekeys" website?

And is there an application that searches a persons HDD for keyloggers? Does Spybot search & destroy do it?

 

Neo's safekeys is a virtual keyboard. You click the keys with the mouse. It's a standalone exe, so you can carry it on an usb stick, for use it on other computers which you don't know if they are clean.
I've tested it against all keylogging methods on aklt.exe, and it passed all.
I can't remember the official page, but a quick search on google can help.
Or you can PM me and I can send it to you.

 

By the way, how does a keylogger infect a PC in the first place?

 

Just like any other malware... downloads, usb sticks, etc

 

What do you mean usb sticks? You mean if I insert a friends USB stick that is infected? How does a keylogger.exe jump from a USB stick on its own to my HDD and then execute itself?

And I hardly download any programs, and when I do, it's something that comes from a very well known and reputable company. In the last 12 months I have only installed Openoffice, ccleaner, spybot and search, Glary Utils, Imgburn. So I dont download and install stuff from "unknown" websites.

I think people who get virus etc get if from warez and pirated websites. In 10 years of heavy PC usage I have never had a rootkit, spyware, virus, trojan or keylogger.

 

When I was younger, I used to download a lot of cracks, wares, keygens, etc. Back then, infections where VERY common. Of course I didn't knew anything about security, and only had norton AV on board (and that when I had an AV... I spent a lot of time absolutely naked).

Now I know better, and haven't been infected by normal usage... just some time ago doing something stupid, like testing unknown exe's and forgeting to turn returnil on (stupid me)... Again, now I know better...

But a few months ago, I inserted an USB stick from a friend, and it created autoruns in every partition, and copied some files into them, which where executed automatically.
So yes, I believe that USB sticks can infect you. And sometimes you don't need to be doing dangerous/stupid things to be infected... Just have bad luck or have an improperly configured security...

 

You are joking right? You are not seriously telling me that a USB stick gets automatically executed where all .exe files on it run automatically when it's inserted? Are you saying that some application or program on a USB stick is AUTOMATICALLY run whenever a person inserts it?? If so, where can I read about this?

 

no
not all exe's.
The usb had an autorun on it, which executed the malware. The malware then spread to all my partitions.

The autorun.inf is a very common way of spreading malware nowadays. AV vendors are starting to offer USB drives protection.

This is also avoided having autoplay disabled for all drives. In my case I also automatically run anything from USB sticks sandboxed. I learned my lesson that day.
Also, that day was the last day I used a real time AV. It failed to do the only thing it had to do.

 

Regarding USB sticks, I've had a similar experience. Disable autorun to ensure that dosen't happen.

http://www.howtogeek.com/howto/windows/disable-autoplay-of-audio-cds-and-usb-drives/

Regarding keyloggers, I don't want be alarmist, but there are APIs in windows that can log keys, take screenshots and monitor clipboard. So someone can build a keylogger that monitors all those points.

 

Wow, I didnt know that a person can make an autorun on a USB as soon as it's inserted. Surely this is a real security risk and would stop people being allowed to use them in internet cafes etc too.

 

Well it's lucky for me then that I use Linux to do all my netbanking etc.

I dual boot Vista and Ubuntu Linux and whenever I want to transfer money or use netbanking etc I boot into Linux. On Linux I do not worry about virus or spyware or keyloggers.

But having said that, doesn't the Neo's SafeKeys stop that happening in windows what you mentioned above?

 

Neo's safekeys protects against keyboard logging and I *think* clipboard logging. (In order to paste the pasword on the password field, you must select it and drag it. Copy-Paste won't work).

However it is vulnerable against screenshots, since it highlights the keys pressed with the mouse. But I have no idea what the common interval between screen snapshot in such loggers is. My guess is that if you use variable intervals for pressing keys, you are relatively safe.

 

The optimal solution is to either use either livecd for banking (as truthseeker is doing) or use multifactor authentication.

http://en.wikipedia.org/wiki/Multifactor_authentication