How secure is a Truecrypt volume on USB disk?

Discussion in 'privacy technology' started by psychocandy, Nov 3, 2008.

Thread Status:
Not open for further replies.
  1. psychocandy

    psychocandy Registered Member

    Joined:
    Nov 3, 2008
    Posts:
    6
    Lost my USB stick somewhere.

    Doesnt contain anything dodgy but loads of personal info like addresses, bank details etc.

    Luckily, everything was stored in a 4Gb password protected truecrypt mountable file container

    Version of Truecrypt was 6.0a, and I used the default encryption of AES. PAssword I used was >8 characters and mix of letters and numbers, and not a real word.

    I'm really paranoid but is there ANY way that anyone is going to be able to crack this and access the data?
     
  2. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,938
    Location:
    U.S.A.
    psychocandy, first, welcome to Wilders!

    Perhaps you want to review this Wilders thread: Can anyone break my TrueCrypt password? and look at my post #2 for the Password Recovery Speeds article, that will give you an idea on how long it will take to break a password.

    You can also use this Password checker to see how strong your password was.
     
  3. DavidXanatos

    DavidXanatos Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    112
    Location:
    Viena
    Well, this should prevent with some luck any non governmental or corporate adversary from brute forcing your PW.

    You may remember that TC told you to use an > 20 chars password.
    a 20 chars PW using the chars TC allows (94 I remember to be thair number) is roughly equal to a 128 bit key = 3.4e38 combinations
    a 8 char password is equal to 6e15 what well can not really be considered secure keep in mind that DES using 56 bit is brute forcable and thats 7e16 thats more than your PW has.
    A 9 chars password had already 5e17 combinations roughly 10 times what DES has.
    Though to crack DES they used a dedicated hardware with a few hundert IC's designed for this single purpose.

    Its highly unlikely that any ordinary thief or finder will be able to mount an attack with the sufficient calculation power to break your password...


    ... unless you had the luck to be robed by a nerd with a really REALLY big botnet that he is willing just for fun to let loose on your precious data. :rolleyes:
     
  4. psychocandy

    psychocandy Registered Member

    Joined:
    Nov 3, 2008
    Posts:
    6
    cheers I'll take a look !
     
  5. psychocandy

    psychocandy Registered Member

    Joined:
    Nov 3, 2008
    Posts:
    6
    But of course anyone who finds it doesnt know how long the password is, do they? Or what set of characters it contains?
     
  6. DavidXanatos

    DavidXanatos Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    112
    Location:
    Viena
    But a nerd my of cause try it just for fun, with all possible characters until he crasks it or his bootnet gets dismantled by some "Mocrosoft malicious software removal tool" ;)

    But as said in the 1st line of my previous post you should be pretty safe :thumb:
     
  7. psychocandy

    psychocandy Registered Member

    Joined:
    Nov 3, 2008
    Posts:
    6
    I'm sure I read somewhere as well that Truecrypt does something to slow down brute force attacks. Any ideas?
     
  8. psychocandy

    psychocandy Registered Member

    Joined:
    Nov 3, 2008
    Posts:
    6
  9. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    No ordinary person is going to be able to crack that. As mentioned earlier, TrueCrypt is intentionally designed to slow a brute-force password attack down to a relative crawl. Even someone with considerable resources and great curiosity would probably give up after letting their custom password cracker run against it for a few days or weeks, and this wouldn't be nearly long enough to crack the password you are describing.

    Your only real risk is that your USB stick gets picked up by a major criminal who then gets picked up by law enforcement. If he/she is involved in serious enough crimes then your USB stick might be sent to a government agency that has the technical capability to crack susceptible (e.g. too short or too simple) TrueCrypt passwords. Of course, if they did manage to crack it then they would see that your information was not related to any criminal activities, so you should still be ok.
     
  10. psychocandy

    psychocandy Registered Member

    Joined:
    Nov 3, 2008
    Posts:
    6
    Nah. Nothing criminal or dodgy on the stick !!! LOL.

    Out of interest - how many 'attempts' per sec does truecrypt allow? Anyone know?
     
  11. DavidXanatos

    DavidXanatos Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    112
    Location:
    Viena
    As much as your hardware can process, TC does not limits anything in strickt terms,
    it just requirers every atempt to be quite CPU intensive cause the key is derived in 1000 iterations what simply needs more time.
     
Loading...
Thread Status:
Not open for further replies.