Truecrypt password - brute force

Discussion in 'privacy technology' started by Fontaine, Aug 24, 2008.

Thread Status:
Not open for further replies.
  1. Fontaine

    Fontaine Registered Member

    Joined:
    Jan 29, 2008
    Posts:
    245
    Assuming the algorithms are properly implemented in Truecrypt (i.e. no design flaws), how difficult would it be to brute force a password such as: W/i/l/d/e/r/s/s/e/c/u/r/i/t/y
    I know it looks weird but it's just a password that is a word, but has the same character separating each letter. I assume it would be much harder to crack?

    Also, I read that since Truecrypt hashes the password, it makes it extremely difficult to brute force since only a few passwords per second can be tried. And, using a salt renders rainbow tables useless for cracking Truecrypt passwords.

    So, if someone obtained a truecrypt container file that had the above password, and assuming that person was a hacker (or wannabe) and not a gov't entity with unlimited resources and massive computing power, is it extremely unlikely that it would be broken?

    disclaimer: I'm very naive with concepts such as hashes and salts. :)
     
  2. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    First question would be does the person who will be attempting to brute force the password know what character set you are using? If so, that helps. Otherwise with that they would need to do the 96 character set. (Letters upper and lower, numbers, and common chars). And unless they have an idea of how many characters, your using, they'd have to start low so that would take awhile to brute force. (like... years.)
     
  3. Fontaine

    Fontaine Registered Member

    Joined:
    Jan 29, 2008
    Posts:
    245
    I was thinking of a scenario where a truecrypt container was obtained by a hacker from a complete stranger so the hacker knows next to nothing about the password.
    If the file was one of many, and thus not targeted because there is something of interest in it, then I would it would be much to big an effort to try and crack it beyond a typical brute force based on dictionary list..which wouldn't be effective against the password above, right?
     
  4. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    Yea, I doubt a dictionary would be very effective there.

    I'd shy away from repeating characters though.. at least ones that repeat that much. Then again a password of "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz" (64 of em) would be as strong from a brute force capacity as "Zippu1DoDah%2" At least until doing full password fields becomes a standard attack. If ever.
     
  5. markoman

    markoman Registered Member

    Joined:
    Aug 28, 2008
    Posts:
    188
    IMHO, the password you are providing (W/i/l/d/e/r/s/s/e/c/u/r/i/t/y), still being more secure than just "Wilderssecurity" (and not just because of the greater length), is not as secure as a password made of random charachters and of the same length.
    A simple dictionary attack, in fact, might quite easily get the password "Wilderssecurity", but would probably not get the password "W/i/l/d/e/r/s/s/e/c/u/r/i/t/y"; on the other hand, it wouldn't take much to manipulate the words in the dictionary adding appendix and/or postfix, and also adding charachters between the letters (if I dont remember wrong, John The Ripper does that just wonderful), making it possible to guess that password with a dictionary attack.
    If you chose a pattern of "extra charachters" that repeated (example: W/i%l&d/e%r&s/s%s&.....), you would do it extremely harder to crack with this tecnique.
     
  6. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    I'm totally unfamiliar with TrueCrypt. What does it do exactly?

    I read posts about TrueCrypting your entire HDD. I'm not sure if I want to do that, but what other options does TrueCrypt offer?
     
  7. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    TrueCrypt provides On The Fly Encryption. (OTFE)

    You can do whole hard drives, or just make smaller containers of varying sizes. When you mount them they act like a virtual harddrive and anything written to them is encrypted.
     
  8. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
  9. markoman

    markoman Registered Member

    Joined:
    Aug 28, 2008
    Posts:
    188
    Not really, if in the dictionary used for attack contains a list of internet addresses... and if it does, it is likely that it contains internet addresses to sites dealing with security. At this point, it only takes one charachter of appendix and two charachters of postfix to guess.
     
  10. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    My TC password is 27 characters long, using numbers, spaces, letters etc.

    My 27 long password is not contained in any dictionary.

    I think I am rather safe for a few thousands years?
     
  11. KookyMan

    KookyMan Registered Member

    Joined:
    Feb 2, 2008
    Posts:
    367
    Location:
    Michigan, USA
    Based on the advancement of technology, I'd say a couple hundred years. Which is more than enough for any individual.

    Do we have any math majors who can actually do a good plot out of this? It'll be an exponential curve I know.
     
Loading...
Thread Status:
Not open for further replies.