[ARCHIVED THREAD] - Any TrueCrypt users here? (Page 1 of 2)
Posted: 12/18/2013 8:53:26 AM EDT
|
I was looking around for an encryption software, and read about TrueCrypt.
Seems like an excellent, and free program. Still learning my way around how to use it and the science behind it, and I like how it functions. Am now in the (slow) process of encrypting all my portable hard drives. Any expert users of it, with any tips or pointers on its use? Such as, if you have the whole disk encrypted, and then have a file inside the drive that is also encrypted (with a separte password of course), have you doubled the securty, or would somone just use the same method to break into the file as they did the drive? How good is the security of it? WIth a good password is it good against anyone? Or do you think that the NSA has some way to break into it, either through some back door, or their own brillant method? How long of a password are people using? With say a 20 word and number password, is there much beneift from using + # @ * ^ and otheor characters? I've read just an outline of keyfiles, and don't fully follow it. What is a key file? Is it just a file you select, and based on the particulars of that file, it serves as a password in effect, hence the recommendation to use a jpeg file, which being a picture would be impossible to duplicate except by some huge number of trys? If that is the aspect of the keyfile, anyone worry about a jpeg being corrupted? I've had some photo files go tits up before, far more often than any other file type. It's interesting software, and I'm enjoying learning more about it and cypers. I also donated 20 bucks to their donation account, as anyone who uses this free software should. |
|
Double encrypting would help you with a couple of attack vectors, but you would still be at risk for a keylogger.
Keyfiles are something that basically are added to your password to kind of make it into a two factor authentication method but you are correct, you are at risk of the file being lost through whatever means. ETA: As with everything security a lot of it really depends on what the threat is you are trying to beat. I use full disk encryption on my laptops but with a shitty, short password. My concern isn't national assets but some tweaker that steals it so I'm willing to accept the risk that not typing in a strong password every time I boot it brings. |
|
So a key file is just another file, that the program "takes a picture of", so to speak, and then required you have that same file to unlock the drive, by compariing the "oicture" of that file with what you currently have?
I would be very afraid that the key file would get corrupted, and then you're out of luck. I guess you could use a mp3 file, where if your version went bad you could get another copy of it from a CD. |
|
Quoted:
It is open source. In theory it isn't compromised. But it is possible that it is just very elegant compromised. Quoted:
Quoted:
So is TrueCrypt an open source code sytstem, and thus not compromised like other software? It is open source. In theory it isn't compromised. But it is possible that it is just very elegant compromised. Or that the mathematics used have already been broken, or are based on crippled algorithms promulgated by the NSA or one of their stooges. |
|
Unless you are super duper important, the biggest weakness in Truecrypt is the user of Truecrypt, not Truecrypt itself.
In fact, even if you are super-duper important, you are the weakest link. "Successful" attacks against Truecrypt tend to be successful attacks against the user, not the product. Learn about those attacks like keylogging, key wandering, and general asshattery and you should be good to go. |
|
Quoted:
There's a very nasty rumor going around that TrueCrypt has been backdoored by the NSA. In fact, there's an effort to audit the source to try and explain some oddities in the code. Cool. That shouldn't worry even digital pedophiles if it is true. If the NSA has a hack for it, they aren't going to reveal it unless you are going to nuke the US or something similar. Additionally, if I was perpetually being foiled by a piece of open source software, my first mission would be to discredit it and discourage its use. Therefore, the rumors have as high a chance, if not higher, of being unfounded than based in reality. |
|
Quoted:
There's a very nasty rumor going around that TrueCrypt has been backdoored by the NSA. In fact, there's an effort to audit the source to try and explain some oddities in the code. At this point, it wouldn't surprise me, given their apparent funding of backdoors into RSA. Open source definitely makes it harder though, especially when you have a pretty wide user base looking over each code change (well, let's be honest...if it compiles, you're not going to look over everyone's code changes - you'll only notice if there's a problem). In any case, if I were specifically trying to hide information from the NSA, I wouldn't have it on a computer at all. |
|
I just started looking at it & had a recent thread about it. Cool stuff when you start digging into it.
What I found most interesting so far was TC specifically mentions (@ least twice) that data stored in safety deposit boxes is "not safe from adversaries" & therefore they recommend certain procedure when putting backups in one. I got lambasted a couple of weeks ago in another thread for basically bringing up the same fact... Wish I would've know TC's take in it then. 
|
|
Quoted:
There's a very nasty rumor going around that TrueCrypt has been backdoored by the NSA. In fact, there's an effort to audit the source to try and explain some oddities in the code. The average user wont be affected. The NSA aint sharing any potential backdoors with law enforcement. The average use wants financial data and fetish porn hidden, and TC is very good at doing that. The NSA doesnt want your fetish porn, and your finances are probably not interesting either. For me, it's the best free encryption setup available and I use it everyday, locally and on the cloud. |
|
Quoted:
Unless you are super duper important, the biggest weakness in Truecrypt is the user of Truecrypt, not Truecrypt itself. In fact, even if you are super-duper important, you are the weakest link. "Successful" attacks against Truecrypt tend to be successful attacks against the user, not the product. Learn about those attacks like keylogging, key wandering, and general asshattery and you should be good to go. 
|
|
Quoted:
Unless you are super duper important, the biggest weakness in Truecrypt is the user of Truecrypt, not Truecrypt itself. In fact, even if you are super-duper important, you are the weakest link. "Successful" attacks against Truecrypt tend to be successful attacks against the user, not the product. Learn about those attacks like keylogging, key wandering, and general asshattery and you should be good to go. The Professor Messer A+ videos on youtube have a nice bit about social engineering to access your data. Nothing earth shattering, but good info. |
|
In light of recent events this seems appropriate
http://istruecryptauditedyet.com/ |
|
Quoted:
The longer the password the better. Don't need to use odd symbols that just make it hard to remember, what matters most when using brute force is the total number of characters, you can even use a complete sentence and be protected rather well. Read this article lately? 
|
|
So what you're saying is that a combination of words is more secure that upper and lower case and numbers and such.
Interesting. I'd think a key file would make it impossible to break into without some backdoor. How could an actual file, if it had to match exactly to the keyfile, ever be guessed, if it was something like a MP3 or JPEG file? |
|
Quoted:
So what you're saying is that a combination of words is more secure that upper and lower case and numbers and such. Interesting. I'd think a key file would make it impossible to break into without some backdoor. How could an actual file, if it had to match exactly to the keyfile, ever be guessed, if it was something like a MP3 or JPEG file? It couldn't be guessed unless it was something dumb like a standard internet meme  , but a keyfile is easily compromised by itself. A key file is used in conjunction with a password for solid authentication.
|
|
Quoted:
It couldn't be guessed unless it was something dumb like a standard internet meme , but a keyfile is easily compromised by itself. A key file is used in conjunction with a password for solid authentication.Quoted:
Quoted:
So what you're saying is that a combination of words is more secure that upper and lower case and numbers and such. Interesting. I'd think a key file would make it impossible to break into without some backdoor. How could an actual file, if it had to match exactly to the keyfile, ever be guessed, if it was something like a MP3 or JPEG file? It couldn't be guessed unless it was something dumb like a standard internet meme , but a keyfile is easily compromised by itself. A key file is used in conjunction with a password for solid authentication.Would an MP3 file make for a good keyfile? Seems that it would be hard to duplicate, and if you lost your copy you could download another copy of it. |
|
Don't put your computer in suspend mode, a thief can still obtain your encryption keys from memory. Instead put your computer into hybernate mode where it encrypts your memory to disk.
Use bunch of uppercase/lowercase, numbers and symbols as the password to make it harder to hack. More the better. |
|
Quoted:
Would an MP3 file make for a good keyfile? Seems that it would be hard to duplicate, and if you lost your copy you could download another copy of it. Quoted:
Quoted:
Quoted:
So what you're saying is that a combination of words is more secure that upper and lower case and numbers and such. Interesting. I'd think a key file would make it impossible to break into without some backdoor. How could an actual file, if it had to match exactly to the keyfile, ever be guessed, if it was something like a MP3 or JPEG file? It couldn't be guessed unless it was something dumb like a standard internet meme , but a keyfile is easily compromised by itself. A key file is used in conjunction with a password for solid authentication.Would an MP3 file make for a good keyfile? Seems that it would be hard to duplicate, and if you lost your copy you could download another copy of it. Sure, but if you download it it means it exists other places. The odds of someone running everything in existence is slim, though. Key files are awesome, but are just as susceptible to human stupidity and social engineering. Ultimately, encryption is the least of someones worries against a smart attacker with time and a good motive on their hands. Use a keyfile on a separate encrypted USB drive with a unique password.
Remember that unless you either have data like banks have, or secrets a major government would want, or you are attacking said governments, talk of backdoors and most shenanigans is pointless. Use a keyfile and a good password, don't write it down or document it, and you're good to go. To reiterate...the biggest security risk the common person faces is themselves. Keep It Simple Stupid. |
|
Quoted:
So is TrueCrypt an open source code sytstem, and thus not compromised like other software? Quoted:
So is TrueCrypt an open source code sytstem, and thus not compromised like other software? For nearly a decade, TrueCrypt has been one of the trusty tools in a security-minded user’s toolkit. There’s just one problem: no one knows who created the software. Worse still, no one has ever conducted a full security audit on it TrueCrypt Audit |
|
Quoted: Quoted: The longer the password the better. Don't need to use odd symbols that just make it hard to remember, what matters most when using brute force is the total number of characters, you can even use a complete sentence and be protected rather well. Read this article lately? http://imgs.xkcd.com/comics/password_strength.png So what if I use the four random words with number and symbol substitutions...is that less secure? C0rr3ct#0r53B4tt3rySt4pl3! That is easy as fuck for me to remember, but is that less secure than correcthorsebatterystaple? Dumb it down for a dolt like me. |
|
Quoted:
The longer the password the better. Don't need to use odd symbols that just make it hard to remember, what matters most when using brute force is the total number of characters, you can even use a complete sentence and be protected rather well. I use a song lyric with creative punctuation and capitalization. |
|
Quoted:
So what if I use the four random words with number and symbol substitutions...is that less secure? C0rr3ct#0r53B4tt3rySt4pl3! That is easy as fuck for me to remember, but is that less secure than correcthorsebatterystaple? Dumb it down for a dolt like me. Quoted:
Quoted:
Quoted:
The longer the password the better. Don't need to use odd symbols that just make it hard to remember, what matters most when using brute force is the total number of characters, you can even use a complete sentence and be protected rather well. Read this article lately? http://imgs.xkcd.com/comics/password_strength.png So what if I use the four random words with number and symbol substitutions...is that less secure? C0rr3ct#0r53B4tt3rySt4pl3! That is easy as fuck for me to remember, but is that less secure than correcthorsebatterystaple? Dumb it down for a dolt like me. It would be just as secure, it is just that you don't get any significant security bonus by using character substitutions and it makes the password harder to remember and type for most people. The most important aspect for a password is how long it is. The comic is merely showing how a shorter password with character substitutions and symbols loses out to a longer password using nothing but common words that are easy to remember when it comes to resistance against brute force attacks. I recommend that passwords should be over 20 characters in length. |
|
At my last full time job I was an IS director for a home health agency. We had our agency software running on laptops and the software company recommended TrueCrypt for the laptops. Medical info has to be protected per HIPPA. Management like the price point (free). It was easy to install and encrypting the drives did not take to long. Unfortunately I was laid off before I could get a lot of experience with it, but it seemed G2G to me.
I am working as a contractor for a large hospital group and all hard drives and thumb drives are encrypted with Credant. |
|
Quoted: It would be just as secure, it is just that you don't get any significant security bonus by using character substitutions and it makes the password harder to remember and type for most people. The most important aspect for a password is how long it is. The comic is merely showing how a shorter password with character substitutions and symbols loses out to a longer password using nothing but common words that are easy to remember when it comes to resistance against brute force attacks. I recommend that passwords should be over 20 characters in length. Ah thank ya kindly
 |
|
Quoted:
I use it regularly but didn't read your entire post ha ha mme neither. I've never encrypted drives, just "containers" inside drives. One for personal/finiancial info, one for a little porn. it nice not having to worry about the wife or the computer repair guy, ro the kids someday stumbling upon it, so long as I don't forget and leave the drive mounted. When you open a container, it mounts on all user's desktop
OP, use it, just make sure the code can't be brute forced. use code w/ small & large case, numbers and symbols such as # ! @ etc. Make it at least 8 characters long. of course, the danger is not that it can be brute forced but that the key will be compromised w/ key logging malware. if you want it to be really secure, reboot yourcomputer from a bootable CD or thumb drive. insert another USB drive in that has the truecryt app unzipped and run it and create the container on that thumb drive. Then, NEVER open that container again unless you are running on a machine running from a non writable bootable drive, such as a CD or thumbdrive w/ Ubantu. That way you NEVR have to worry about your keys being swept up by malware. This is also a good system to generate and store private keys for bit coins. You just have to use oneof those offline HTML bitcoin key generators. |
|
Quoted:
So a key file is just another file, that the program "takes a picture of", so to speak, and then required you have that same file to unlock the drive, by compariing the "oicture" of that file with what you currently have? I would be very afraid that the key file would get corrupted, and then you're out of luck. I guess you could use a mp3 file, where if your version went bad you could get another copy of it from a CD. Just make a bunch of copies of the file and keep elsewhere, that way if the one you are using gets corrupted, you can just grab a fresh one. |
|
Quoted:
So is TrueCrypt an open source code sytstem, and thus not compromised like other software? being open source doesn't make it comprimised, but it allows its code to be scrutinized by the community who have an interest in verifying its integrity. Close source software required trust that the developers: 1. are competent 2. didn't leave a backdoor for the NesssA much softwared does have these backdoors built into it at hte behest of .gov, incluing cell phone OS and windows. Unfortunately, smart hackers are able to find these backdoors and exploit them themselves. This is what the average citizen has to worry about, not the NessA botherng abotu him, but hackes getting info to drain your bank accounts or steal your identity via these back doors. That is how the cellphone spyware came about, the one that lets you turn the phone into a bug, transmit its location and copy the hacker on all your txts etc. |
|
Quoted:
The longer the password the better. Don't need to use odd symbols that just make it hard to remember, what matters most when using brute force is the total number of characters, you can even use a complete sentence and be protected rather well. WRONG! A lont of people are having their bit coins secured by "brain wallets" stolen. Any complete sentence in proper grammatical form, particualrly one from a poem or any book whose text exists electronically is very risky. Even a complete sentance that you make up is risky unless it is very long and odd. WIth enough words, you can make a brute force impossible again, but by making it have improper punctuation or adding some odd characters (#, $, etc) you can massively prevent that. The systems that bruteforce bitcoin brain wallets are much more profitable than the mining as foolish people are always using lines from famous books/poems or expressions for brain wallets. |
|
tdd Quoted:
So what you're saying is that a combination of words is more secure that upper and lower case and numbers and such. wrong! because some decrypters are set up to try combinations of words rather than combinations of letters... If the computer wend about the attack by trying every possibility of the 20 or so characters from 0000000000000000000 all the way through...whatever would be the last possible series in a set where you can use numbers, large and amsll caps and symbols. Well some of those possibilities would be four words out of the dictornary w/ a space between all words, or w/o space. Rather than going sequesntally through all the possibilities of all characters, the program combines all words in the dictionary that can combine to than many characters. That is an awful lot, but having first limited the search to the protocal of the english vocab removes most of the possible combinations in a series of X number of characters. |
|
Quoted:
It would be just as secure, it is just that you don't get any significant security bonus by using character substitutions and it makes the password harder to remember and type for most people. The most important aspect for a password is how long it is. The comic is merely showing how a shorter password with character substitutions and symbols loses out to a longer password using nothing but common words that are easy to remember when it comes to resistance against brute force attacks. I recommend that passwords should be over 20 characters in length. Quoted:
Quoted:
Quoted:
Quoted:
The longer the password the better. Don't need to use odd symbols that just make it hard to remember, what matters most when using brute force is the total number of characters, you can even use a complete sentence and be protected rather well. Read this article lately? http://imgs.xkcd.com/comics/password_strength.png So what if I use the four random words with number and symbol substitutions...is that less secure? C0rr3ct#0r53B4tt3rySt4pl3! That is easy as fuck for me to remember, but is that less secure than correcthorsebatterystaple? Dumb it down for a dolt like me. It would be just as secure, it is just that you don't get any significant security bonus by using character substitutions and it makes the password harder to remember and type for most people. The most important aspect for a password is how long it is. The comic is merely showing how a shorter password with character substitutions and symbols loses out to a longer password using nothing but common words that are easy to remember when it comes to resistance against brute force attacks. I recommend that passwords should be over 20 characters in length. no, it would not necessarily be as secure since decrption programs are made to run just words form dictionaries per my post above. |
|
Look at it this way, if your dictionary has 10,000 words:
If your password is 1 word long it would take 10,000 guesses. If your password is 2 words long, it would take 10,000*10,000 guesses. If your password is 5 words long, then it would take 10,000^5 guesses which equals 100,000,000,000,000,000,000. If you use an alphabet password of 26 lower case letters, 26 upper case letters, 10 digits and 10 special symbols. Total them up and you get 72 characters. If you use a password of 10 characters then you get 72^10 guesses which equals 3,743,906,242,624,487,424. 
|
|
Quoted:
tdd wrong! because some decrypters are set up to try combinations of words rather than combinations of letters... If the computer wend about the attack by trying every possibility of the 20 or so characters from 0000000000000000000 all the way through...whatever would be the last possible series in a set where you can use numbers, large and amsll caps and symbols. Well some of those possibilities would be four words out of the dictornary w/ a space between all words, or w/o space. Rather than going sequesntally through all the possibilities of all characters, the program combines all words in the dictionary that can combine to than many characters. That is an awful lot, but having first limited the search to the protocal of the english vocab removes most of the possible combinations in a series of X number of characters. Quoted:
tdd Quoted:
So what you're saying is that a combination of words is more secure that upper and lower case and numbers and such. wrong! because some decrypters are set up to try combinations of words rather than combinations of letters... If the computer wend about the attack by trying every possibility of the 20 or so characters from 0000000000000000000 all the way through...whatever would be the last possible series in a set where you can use numbers, large and amsll caps and symbols. Well some of those possibilities would be four words out of the dictornary w/ a space between all words, or w/o space. Rather than going sequesntally through all the possibilities of all characters, the program combines all words in the dictionary that can combine to than many characters. That is an awful lot, but having first limited the search to the protocal of the english vocab removes most of the possible combinations in a series of X number of characters. there is actual math that refutes your premise above... https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/ and see the strength estimation tool here: https://www.cygnius.net/snippets/passtest.html ar-jedi |