hack truecrypt,how much time does it need?

Hi

i have a question about truecrypt
i know it's an open source , there are not backdoors

but i'm thinking about how much time does a hacker need to find the password(crak/hack) of a truecrypt container?

i know a password could be weak or strong

i 'm thinking about a medium password

thanks

it's a technical question , i don't want to hack my truecrypt container

 

Re: hack truecryt,how much time does it need?

It really depends on the hardware you have at your disposal to attempt such a hack... That is if you want to try a brute force approach.

 

Re: hack truecryt,how much time does it need?

thanks
so is possibile to decrypt for an hacker a file/container encryped?

 

Re: hack truecryt,how much time does it need?

Of course, it's just a matter of writing a program that tries a list of passwords against a TC container.

 

Re: hack truecryt,how much time does it need?

See https://www.wilderssecurity.com/showthread.php?p=1633727#post1633727 FWIW

It might be useful if someone could characterize the strongest "type" of TrueCrypt password -- in terms of length and character set -- that can currently be brute forced by an adversary using all existing machines in a decade or so. Better yet would be estimates of time required vs password complexity and computing resources.

Is it possible to use a password that Deep Thought couldn't brute force

 

Re: hack truecryt,how much time does it need?

If you do it right, a long, long time..

https://www.wilderssecurity.com/showpost.php?p=1631367&postcount=33

 

Re: hack truecryt,how much time does it need?

Thanks, Dreamwalker.

 

Re: hack truecryt,how much time does it need?

http://www.lockdown.co.uk/?pg=combi&s=articles#classF

thanks!


the more complex password needs 83 Days need to be cracked
truecypt does encrypt files , but only make container
i'm thinking what could happen if i encrypt sever time the same file
for example myfile.doc -> encrypted 4 times with 4 different password ?

 

Re: hack truecryt,how much time does it need?

Using the formula POWER(Charset,Len) and assuming success at 50%, I've estimated how long Distributed.net's Project Bovine RC5-64 (7.6E+10 passwords/sec, according to http://www.lockdown.co.uk/?pg=combi&s=articles) would take to recover passwords of various complexity.

http://img26.imageshack.us/img26/1452/passwordguessing.jpg

Times are expressed in the following units, as appropriate ...

seconds
days
years
centuries
age of Homo sapiens (ca. 2E+05 yr)
age of Mammalia (ca. 2E+08 yr)
age of the Universe (ca. 1.4E+10 yr)

Are those results reasonable?

 

Re: hack truecryt,how much time does it need?

FYI -- These approaches to estimating the protection provided by a passphrase assume that the passphrase is literally a random string of letters, numbers, and/or symbols. If you don’t actually use a random number generator to create the passphrase, then (1) the frequency of characters will mirror their distribution in natural language (e.g., “a” is considerably more common than “q”); and (2) it will contain sequential dependencies among the characters. Both effects may (greatly) reduce the effectiveness of the passphrase.

P.S.: Humans are notoriously incapable of creating high-quality random numbers/strings, despite our perception that we can easily do so.

 

Re: hack truecryt,how much time does it need?

Using 10,000 of the world's most powerful supercomputers working in tandem, brute force attack on my TC password, would take around 1 billion years.

Use this website, select all characters Include Punctuation, and 64 chars in length.

http://www.pctools.com/guides/password/

 

TheMozart, if you have committed to memory a truly random string of 64 letters/numbers/symbols for your passphrase, then your cognitive facilities are impressive, indeed!

Personally, I have no hope of remembering a passphrase like yours, such as:

cR6pheze2ayuNA7uweWaq5K8zu4wuPra3rAmUvAmaB7stepREZeCr7xex3PAphe9​

 

You don't need to, just the last few. Example retrieve your long pass and tag on the end the part you remember.

 

Re: hack truecryt,how much time does it need?

If you're using a 64 character random password, it would take MUCH longer than a mere one billion years to crack. It would take every computer on earth billions of times longer than the age of our universe (~13 billion years).

Basically, the moral of the story is that 64 characters is overkill. In order to obtain a password with 128 bits of entropy you need a 20 character string of random ASCII characters (out of 94 possibilities per character). Providing that, 128 bits of entropy would take longer than the age of the universe to brute force, but it wouldn't be as difficult to remember as a 64 character password that is vastly overkill.

 

OK, who recognizes "AGiditp,oowtBi,tAa,twitolacC,ioG,tt."?

Or better, perhaps, and this is a hint, "Geodipt,quiB,aA,tqilC,nGa."?

 

The strength of a chain is equal to that of its weakest link. In this case, retrieving the first 60 characters of the 64-character password, for example, and then typing in the last 4 characters seems to be no stronger than having a passphrase that is only 4 characters in length, because the 60-character portion is subject to retrieval by the adversary in the same way that you access it. (This assumes that the adversary knows or can infer/guess your "scheme," of course, which may not be an unreasonable assumption.)

 

No, not unreasonable, but with a little invention you can make it more unlikely.

 

Re: hack truecryt,how much time does it need?

I wouldn't use this. If you truly want your passwords to be safe, use an offline (nothing connected) system to generate your passwords. Thru the internet, there could still be intercepts.

 

I remember mine, because I copy and paste it

 

Re: hack truecryt,how much time does it need?

It wouldn't do them any good. I use an 18 char password I have memorized and type that before I paste the 64char password

 

Re: hack truecryt,how much time does it need?

Why do people keep referencing this chart for these kinds of questions?? It just shows how little you actually know about encryption and passwords in general.

At least on A, B, C, they are saying what kind of passwords they are trying to brute force. If you are simply trying to do "Does Guess = Password", sure, you can probably do 1,000,000,000 (F) passwords per second, provided Guess is simply going A, B, C, D, E, F, G. But the moment you have to start and add computation to Guess, you increase the time taken to get Guess, to check it against Password. While "Guess = Password?" continues to take one second (for illustration purposes), how long does it take to find "Guess"? One second? 10? A lot of security minded applications now days intentionally make computation of Password (and subsequently Guess) take time.

I'll use KeePass as an example simply because the application lets you set how much computation it takes to do it. Keepass asks for the number of rounds (Number of times the Password is encrypted; See Here for more information) the password goes through. You can actually set it based on time (on your system, Keepass determines XX rounds take Time seconds. The XX is then set in the database as the number of rounds. On a faster system, it will take less Time, on a slower system, Time is increased.) The result is if someone attempts to brute force your password on a system equivalent to yours, the number of Guesses per second is going to be relatively low (Since it takes Time to compute Guess) and even running it on a machine twice as fast, is still going to only twice as fast(if that) as the original machine. Assuming you planned for Time to be one second on your machine, that still limits an attacker to two passwords per second on their machine. (See how fast that table was just demonstrated to be wrong?) Even 100,000 machines working in tandem would result in only 200,000 passwords per second. Using that table on the page, would still take 34 years assuming a 8 character 62 Possible Character(a-z, A-Z, 0-9) password (See 62 Char, Class B / 2).


While that table may show how adding to your character base (IE going a-Z instead of just A-Z or a-z) will increase time, the time factors listed are completely irrelevant for most normal applications anymore. (By the way, who still uses a Pentium 100 for any kind of brute forcing?)

 

FYI -- Depending upon the adversary and the how the password was constructed, a savvy attack might proceed far more quickly than some calculations suggest, if it employs dictionary or rainbow tables, for example.

 

this is nice

a very cool program is
DarkCrypt TC for total commander

DarkCrypt GUI for pc , portable too

http://www.darksoftware.narod.ru/tcpluginsen.html


info

 

Dictionary, OK, but that doesn't take into account computing Guess (from my earlier post), and rainbow tables are irrelevant when salt (preferably random) is used, unless you can compromise the target, determine the salt, construct your rainbow table, then return to use it live, but there really isn't a speed advantage to this... Not to mention if you get access once, you mirror your target, then work on it in your own area.

But salt is used to defeat rainbows.

I guess the alternative is using a hash rainbow table (if they exist) which is all the possible hash values, but I have no idea how large it would be... but thanks to a calculator there are 3.4028236692093846346337460743177e+38 possible combinations. If I did my math right, it would take 9,973,638,011,820,690,691,325,952 Petabytes (or 9,288,674,231,451,648 Yobibytes) of space to store all these hashes. And thats only md5 hashes. And I'm pretty sure that amount of storage doesn't even exist.

 

Re: this is nice

Man's that's dodgy... probably a trojan in that Russian app.