Re: password protect pen drive

[Rob Thompson <my.security.lists () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

krymson () gmail com wrote:
> First, I'm curious, can TrueCrypt passwords actually have rainbow tables? I don't think so, depending which password 
> encryption/hash you use with TrueCrypt. I'm pretty sure they're exempt from realistic rainbow table use.

When you generate a password, if the product is making a hash of what
you entered, then it can be brute forced.

You are generating a hash of a character, matching that hash to the
existing hash.  No match, move on.

> Second, how do you come by the 1.68 hours to crack the password? I have no doubt one can bruteforce the TrueCrypt 
> password, but you will need to devise your own script and also a positive check in order to do it, no? I wouldn't be 
> surprised if something can run through TrueCrypt attempts quickly (depending on how fast it tells you 'fail'), so I'm 
> just curious where that number came from.

I have a magickal took that will give a guestimate as to the amount of
time.  In this particular case, we were given an exact password.  So I
told my tool that this is the criteria, so how long will it take.

Or you can do it the "real" way and figure out the math.

It is a computation problem, dealing with X number of possibilities
being processes at X speed, you will arrive at an answer in X amount of
time.

> Third, I don't know any system that can't be brute-forced when the password is simple or easy. It's just a matter of 
> how costly it is for the attacker to accomplish. You would need lockouts or timeouts to make this too costly for an 
> attacker to wait for. Or use a large password that would take a long time to process. For something as "stripped" as 
> disk encryption, you'll want to use a long password as opposed to expecting a vendor to build more intelligence into 
> the process.

ALL systems can be brute forced.  It is simply a matter of time.

I am aware of Rainbow Tables that are in excess of 54 character hashes
in length.  Therefore, if that was what I was told, I would assume much
larger.

What you are banking on is whether or not you can devise a password that
is strong enough to withstand the attack.

Are you going to have one chucklehead using his mommy and daddy's 'puter
trying to hack away at you?  Or are you going to have someone with some
skills and a gigantic botnet of computers that are just waiting for
something to "work on".

Yes, lockouts and timeouts are very important.  But those don't apply to
everything.  They are only meant to slow down the attack.  And if
someone REALLY wants it, a timeout isn't going to be enough to stop them.

So leave those 8 character passwords at home.  They are not safe any longer.

You really shouldn't be using anything under 16.

> <- snip ->
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> infolookup (at) gmail (dot) com [email concealed] wrote:
> > How good is TrueCrypt I tried it and when I was using a short password it told me I should use over 20 letters or it 
> > could be cracked.
>
> It said you should always use at least 20 characters.
>
> > Now my question is if you use a combination of "*#$and22" how easy would that be to crack?
>
> Your password can be broken in 1.68 hours on this computer. That is by
> brute force.
>
> Rainbow tables will take seconds.
>
> > My point is what good is encryption program if you can easily crack it.
> > Sent from my Verizon Wireless BlackBerry
> >
> > -----Original Message-----
> > From: Rob Thompson <my.security.lists (at) gmail (dot) com [email concealed]>
> >
> > Date: Sat, 12 Jul 2008 11:58:45 
> > To: Lovena J Reddi<lovenareddi (at) intnet (dot) mu [email concealed]>
> > Cc: <a.karpinsky (at) mirohleb.kiev (dot) ua [email concealed]>; 
> > <security-basics-return-49733-a.karpinsky=mirohleb.kiev.ua@securityfocus
> .com>; 'Karl Lankford'<karl (at) kaspersky.co (dot) uk [email concealed]>; 'Rob'<goldleader05 (at) gmail (dot) com 
> [email concealed]>; <security-basics (at) lists.securityfocus (dot) com [email concealed]>
> > Subject: Re: password protect pen drive
> >
> >
> > Lovena J Reddi wrote:
> > > Hi
> > > I am looking for a password protect for my usb drives. Any idea for a free
> > > one.
> > For a free product, Truecrypt. This is not centrally administered, but
> > it does a great job if you don't have a bunch to control.
> >
> > For a thumbdrive, you will want to use the "portable" version which is
> > something that you can do from the installed product or you can specify
> > when you install...
> >
> > Someone else posted something in this thread at the bottom about locking
> > down thumbdrives/auditing/etc...
> >
> > See below, please.
> >
> > > Please note that that when I plug my thumbdrive in the usb port it should
> > > prompt me the password interface so that after putting the right password I
> > > am allow to access the thumbdrive content. The usb drive will b plug in any
> > > machine.
> > > Kindly advise.
> > > Lovena


- --
Rob

+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
|                         _   |
|  ASCII ribbon campaign ( )  |
|   - against HTML email  X   |
|                        / \  |
|                             |
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Ignorance is bliss...

iEYEARECAAYFAkiACCoACgkQcfN68iZZIcctZACgsV9wwBedIuRDGnT82mY36ez3
HI0AoJROpHUnidvcN3rTRiX9SBqKfSsZ
=ZpdF
-----END PGP SIGNATURE-----