Re: Re: password protect pen drive

[krymson () gmail com]

First, I'm curious, can TrueCrypt passwords actually have rainbow tables? I don't think so, depending which password 
encryption/hash you use with TrueCrypt. I'm pretty sure they're exempt from realistic rainbow table use.

Second, how do you come by the 1.68 hours to crack the password? I have no doubt one can bruteforce the TrueCrypt 
password, but you will need to devise your own script and also a positive check in order to do it, no? I wouldn't be 
surprised if something can run through TrueCrypt attempts quickly (depending on how fast it tells you 'fail'), so I'm 
just curious where that number came from.

Third, I don't know any system that can't be brute-forced when the password is simple or easy. It's just a matter of 
how costly it is for the attacker to accomplish. You would need lockouts or timeouts to make this too costly for an 
attacker to wait for. Or use a large password that would take a long time to process. For something as "stripped" as 
disk encryption, you'll want to use a long password as opposed to expecting a vendor to build more intelligence into 
the process.




<- snip ->
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

infolookup (at) gmail (dot) com [email concealed] wrote:
> How good is TrueCrypt I tried it and when I was using a short password it told me I should use over 20 letters or it 
> could be cracked.

It said you should always use at least 20 characters.

> Now my question is if you use a combination of "*#$and22" how easy would that be to crack?

Your password can be broken in 1.68 hours on this computer. That is by
brute force.

Rainbow tables will take seconds.

> My point is what good is encryption program if you can easily crack it.
> Sent from my Verizon Wireless BlackBerry
>
> -----Original Message-----
> From: Rob Thompson <my.security.lists (at) gmail (dot) com [email concealed]>
>
> Date: Sat, 12 Jul 2008 11:58:45 
> To: Lovena J Reddi<lovenareddi (at) intnet (dot) mu [email concealed]>
> Cc: <a.karpinsky (at) mirohleb.kiev (dot) ua [email concealed]>; 
> <security-basics-return-49733-a.karpinsky=mirohleb.kiev.ua@securityfocus
.com>; 'Karl Lankford'<karl (at) kaspersky.co (dot) uk [email concealed]>; 'Rob'<goldleader05 (at) gmail (dot) com 
[email concealed]>; <security-basics (at) lists.securityfocus (dot) com [email concealed]>
> Subject: Re: password protect pen drive
>
>
> Lovena J Reddi wrote:
> > Hi
>
> > I am looking for a password protect for my usb drives. Any idea for a free
> > one.
>
> For a free product, Truecrypt. This is not centrally administered, but
> it does a great job if you don't have a bunch to control.
>
> For a thumbdrive, you will want to use the "portable" version which is
> something that you can do from the installed product or you can specify
> when you install...
>
> Someone else posted something in this thread at the bottom about locking
> down thumbdrives/auditing/etc...
>
> See below, please.
>
> > Please note that that when I plug my thumbdrive in the usb port it should
> > prompt me the password interface so that after putting the right password I
> > am allow to access the thumbdrive content. The usb drive will b plug in any
> > machine.
>
> > Kindly advise.
>
> > Lovena