Noob has partially forgotten his Truecrypt password!

Discussion in 'encryption problems' started by whackojacko, Dec 23, 2012.

Thread Status:
Not open for further replies.
  1. whackojacko

    whackojacko Registered Member

    Joined:
    Dec 23, 2012
    Posts:
    3
    Location:
    Australia
    Hi all,

    I know you probably get questions like this all the time, but I'm really hoping someone can help me out.

    A couple of months ago I encrypted some important files in a truecrypt volume, worried that my laptop might get stolen while travelling. For the password, I used a combination of phrases from the stickers on the laptop - like "windows7", "corei7" etc. I never use spacing, and stuck to lower casing, and I have a list of all the possible words that could've been included in the password.

    As the story usually goes, I was in a rush, and thought I'd remember it just by looking at the stickers. No luck. The password could be any combination ie. "windows7corei7nvidia" etc. I'm sure it's between 15 and 35 characters. There are about 20 words that I selected from.

    I've taken a look at some threads on here addressing similar problems, but I have no absolutely no programming knowledge, and have found it impossible to use some of the tools offered.

    Are there any programs out there, where I can simply enter the possible words, and bruteforce the password? I'm on Win7 64bit.

    Any help or advice would be really appreciated. Regardless of the outcome, I intend to be a stayer on the forum, and hope to learn as much as I can from you guys.

    Many thanks,

    Jacko
     
  2. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    You are in a really tough situation . . . :rolleyes:
     
  3. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    I feel for you, you're indeed in a rough spot. Next time, don't use passwords like that. I mean, the pass is literally written on the laptop. Very few people can remember long passwords..which is why no one uses them and people stick to "less secure" ones that are short and sweet. Back up your passwords, whether on a piece of paper hidden out of sight or what ever. Chances are pretty good you've got just one word or a couple of characters out of place, and that's even more frustrating than forgetting the entire thing. Brute-forcing something that long? You won't live long enough and neither will anyone else.

    I honestly think you're screwed, and, for anyone who comes across threads like these and wants to try Truecrypt and things like it, think carefully before you jump into it. You should have a damn good reason for using it, and not just "might get stolen". You should also be well prepared before you ever install such a program. *sigh* Sometimes I think places like Wilders do more harm than good for the general public and those in a bind.
     
  4. richnrockville

    richnrockville Registered Member

    Joined:
    Jul 15, 2009
    Posts:
    7
    Location:
    Rockville, Maryland
    Most likely your SOL on this as most forums frown on password crackers or the such. There isn't any way to determine whether the poster is someone who legitimately lost their password or someone who picked up a machine with asbestos gloves on.

    Rich
     
  5. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    I personally use TC but i know what are the risks of forgetting passwords. (I always forget my non essential account passwords like steam etc.)
    But i set my TC password as easy as it could be for me but as hard as possible for others. :D
     
  6. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    Well, if you go by https://www.grc.com/haystack.htm, the poster probably has a great pass. The problem is, said pass is printed right there on the exterior of the laptop :D Of course, also according to the GRC website said password will be broken by brute force long after our Sun has gotten tired, went to sleep and left the Earth a bit on the warm side.
     
  7. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I feel that you're mistaken. There's nothing wrong with openly attempting to crack a password head-on. It's a common discussion topic and there are really no secrets about it. Programs such as TrueCrypt are designed to strongly resist brute-forcing and other types of password cracking attempts, and they do it very well. A good TrueCrypt password can't be cracked by any known technology. However, a partially-forgotten password can sometimes be within reach.
     
  8. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    @Jacko
    OTFBrutus GUI (by tateu, a forum member) was specifically designed to help TrueCrypt users who have partially forgotten their passwords. If you can assemble an adequate wordlist then it it can easily test them against your TrueCrypt container. Building the wordlist will be the hardest part, as it sounds as though there could be a high number of possibilities. Your description is rather loose: 15 to 35 characters built from a pool of some 20 known words doesn't narrow things down very much. How many words do you think you used? Did you repeat any words? Are you positive there are no spaces or substitutions?

    I don't know of any program that you can just hand your 20 words to and say "go!", but what you want to accomplish might not be that far out of reach. OTFBrutus can build wordlists, but you have to learn how to enter your data into the program's password template. Why don't you download it and play with it using some short, simple passwords to see if you can figure out how to use it? It would probably work. For starters, think of each word as a single character (out of 20 possible characters), and try to set up password searches for different password lengths, say between 4 and 7.

    How many words do you think are in your password? Based on the lengths of the words you supplied in your first post, I'll guess it's somewhere between four and seven. If there were only four words in random order then there would be about 20 to the 4th possibilities = 160,000 (actually fewer if you didn't repeat any words), which is quite doable. Seven words would produce 1.3 billion possibilities, which is probably just a little out of reach for a home computer, but could be done on a network. You're probably somewhere within that range, and there's definitely a chance that you could succeed, but you'll also definitely need to strain your brain a bit. Sorry.

    PS: No guarantee on the math, shooting from the cuff, but I think it's about right.
     
  9. tateu

    tateu Registered Member

    Joined:
    Dec 10, 2010
    Posts:
    60
    Location:
    Los Angeles, CA USA
    dantz's math is indeed correct, 20^4 and 20^7 possibilities. And if you used 5 words out of a possible 10 you would have 10^5 possibilities.

    With OTFBrutusGUI and 4 words used from a possible 20, your password pattern would look like:
    (word01|word02|word03|word04|word05|word06|word07|word08|word09|word10|word11|word12|word13|word14|word15|word16|word17|word18|word19|word20){4}

    And if you are absolutely sure you did not use any of the words twice, you could try this to limit each word to being only used once:
    (word01|word02|word03|word04|word05|word06|word07|word08|word09|word10|word11|word12|word13|word14|word15|word16|word17|word18|word19|word20){4:1}

    And turn off any Hash and Encryption algorithms that you are 100% sure you did not use.

    Another good program that is actually faster than OTFBrutusGUI is http://www.golubev.com/igprs/. I think it's about twice as fast but if you have a supported GPU, I think it is supposed to be 10x or 20x as fast.
     
  10. whackojacko

    whackojacko Registered Member

    Joined:
    Dec 23, 2012
    Posts:
    3
    Location:
    Australia
    Thanks Danz, Tateu and everyone else for their replies. Sorry Noob, for any implications my post may have had in reference to your name...

    richnrockville, I appreciate your vigilance. However, in this case I'd say the probabilities that I am the volume creator are fairly high, given what I know about the password and how it was created.

    I've had a look at Brutus software, which from all accounts on the web, is very impressive. My problem is that I'm out of my depth when it comes to GUI or anything that isn't in a pretty windows dialogue box. I'm trying to build my knowledge though, and this problem has really sparked up my interest in cryptography. Unfortunately, I've got a lot of things going on workwise that limit my time - so it'll be slow-going for me.

    Dantz, thanks for your on-the-spot analysis. There are definitely no duplicates, substitutions or spacing and I'm 90% sure that it is made from between 3 and 4 of the 20 given words.

    On your suggestion, Tateu, I'm going to try Golubev's program, as I see it has dialogue boxes. I'll report back when I inevitably run into problems.

    Once again, really appreciate the support on here. Thanks.

    Jack
     
  11. whackojacko

    whackojacko Registered Member

    Joined:
    Dec 23, 2012
    Posts:
    3
    Location:
    Australia
    It seems the license for Gobulev's program expired on the 21st December. I get redirected to "passwordrecoverytools.com", which looks less than trustworthy, and doesn't list Truecrypt volume password recovery as an option.

    Do you know of anyway I might get Gobulev's program as it was?

    Thanks,

    Jack
     
  12. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    I have a 30+ digit password for TrueCrypt that I don't use anywhere else. The key to doing so, is having your own little workable algorithm. Use letters upper/lower, numbers and symbols. Use 1-2 symbols and repeats them through the password, and do the same with numbers and symbols, for example.

    +ToroHike33DashToro+HikeToro33DashHike+

    You now have a long password but it contains only these symbols. Toro,Hike,Dash,33,+

    Complexity in simplicity. And while your learning it you should always have to on a piece of paper until you get so used to the password flow that you don't need the paper. If you only use Hike,Toro,Dash, for you TC password at boot and nothing else, it becomes almost impossible for a dictionary attack, because you are unrelated to those words and they are also capitalised and have number symbol combos.
     
  13. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    No, but consider this: One of the main strengths of OTFBrutusGUI is its flexibility at building different types of wordlists, which is exactly what you need. And you've got the developer of OTFBrutusGUI right here helping you. Why even bother with a different program?

    OTFBrutusGUI has a decent graphical user interface. I think the only part you have to type in is the password pattern, and tateu has pretty much given that to you. Just replace the words in his example "word01|word02|word03" etc. with your own words.

    I suggest you start by creating a small test container with a simple, known password and practicing on that.
     
  14. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    LOL, no problem man, i didn't even notice it until you said it. :D
    No worries.
     
  15. kerykeion

    kerykeion Registered Member

    Joined:
    Jun 30, 2010
    Posts:
    267
    Location:
    Philippines
    I, for one, thought Noob forgot his password
     
Loading...
Thread Status:
Not open for further replies.