TrueCrypt take cover, Hashcat is coming!

The next release of oclHashcat-plus is expected to include a new gpu-based TrueCrypt-cracking module that will apparently make it the fastest TrueCrypt cracker that is publicly available. They're listing speeds of roughly the 50K to 450K hashes/sec (very impressive!), although this will obviously vary according to the type and number of GPUs used, etc. (Hopefully I'm not misinterpreting their current results, but if so I apologize).

http://hashcat.net/forum/thread-2301.html

TrueCrypt volumes are hardly one of the low-hanging fruits. Hats off to the Hashcat developers for choosing to take on such a worthy opponent!

I see nothing wrong with these types of cracking endeavors. If someone chooses to attempt to crack a TrueCrypt volume head-on through the use of massive processing power then I say more power to them. (Guys, just try not to overheat the planet too much, ok?) TrueCrypt was designed to resist exactly this type of attack, so I'm not worried about the security risks to properly set up volumes. They may gobble up the insecure ones, though!

For those of you who may not want your volumes to be cracked by Hashcat users, may I suggest you ensure that your PWs are long and strong enough? Or add a keyfile? And remember, this new speed increase probably represents a mere fraction of what is already out there privately.

 

450k is not nearly enough for a decent password. If that were 450million, maybe that'd be something to worry about.

I'll have to read the article.

Sucks that TrueCrypt doesn't let you choose how many rounds of hashing to use. I think it's stuck at 1,000. I could easily do 1,000,000 on my system.

 

Agreed. But it's pretty fast for TrueCrypt cracking. Heck, just a few years ago I was trying to squeeze 4 pw/sec out of my old batchfiles!

 

Is this a joke? Just do the math...

Claiming 50K to 450K hashes/sec is "worlds [sic] fastest TrueCrypt cracker" is like saying the current record holder in the high jump is "the world's best flying human".

 

I don't quite get your analogy, but I do realize that the upcoming product will have basically no chance of cracking a properly-secured TrueCrypt volume. I was merely pointing out that we have a new contender on the way and that poorly-secured volumes will soon be at higher risk. Lots of users have highly inadequate passwords, you know.

PS: Perhaps you were put off by my phrase "very impressive"? Just to clarify that for you, I mean that it's very impressive when compared to all of the other, significantly slower TrueCrypt crackers out there.

 

That would be me. Have you seen me do my dolphin jump? It's very impressive.

 

I understood your point perfectly, dantz.

 

My point is:

a) Brute force is not a "crack" (just as jumping high isn't flying),

b) TrueCrypt pops up a warning during volume creation recommending at least a 20 character passphrase. And if someone is using TrueCrypt, odds are they're a bit more security conscious, and won't be using "123456" as their key. No one is brute forcing a TC volume at 50k hashes/sec.

Yeah, but again that's like being the tallest dwarf. Sure you're closer to the rim of the basketball goal than everyone else in your category...but that doesn't mean you're really any closer to slam dunking.

As did I. I was simply offering a counterpoint.

 

[sarcasm]I do hope my random 63 character key isn't in danger![/sarcasm]

Let me know when they start employing quantum computers, maybe then we'll see some concern.

 

Even then...if you're using a strong passphrase, it's not going to help in any practical sense.

Again, just do the math. A quantum computer will reduce the complexity of an attack by a factor of a square root. So effectively it's only going to cut the keyspace in half. That's it.