|
Nice thread topic! I'd like an effective and relatively simple way of turning a short password into a hash type string to use as a passphrase for AES encryption please. In the past I've used the MD5 of a simple string (such as a car license plate) and I know that people here will poo poo brix that I used something as insecure as MD5 but, hey, it's better than the original password! I looked at PBKDF2, which seems ideal for stretching a simple password into an indecipherable string and then found out that there are better alternatives, such as bcrypt which has more expensive overheads if someone attempted to reverse the data. The problem with bcrypt (and scrypt, I believe) is that they are geared toward storing passwords for web services and produce a more complicated output than I desire. I just wanna derive an encryption key from a simple string. PBKDF2 looks the sort of thing I'm after but there doesn't seem to be a standardized implementation of it. I want to encrypt something with the knowledge that I can decrypt the file in maybe 5 years time, possibly using a different OS (it will still be Linux based, though) or platform. At least MD5 and SHA256 are both standardized algo's and produce the same result over all platforms. What do you guys use to manually scramble your passwords? Please don't suggest keepass2: I'm looking for simplicity. Thanks.
|
#
¿
Nov 20, 2015 18:23
|
|
|
|
| # ¿ May 3, 2024 06:58 |
|
|
It wasn't a joke post. Yep, I do use a password manager (LastPass) but I knew there'd be people recommending Keepass so I mentioned I don't want to use it. In my case I want to stretch a simple, easy to remember password into a long key. Whoever suggested that I am using multiple instances of this technique are wrong. 99% of my passwords are unique and are stored in LastPass (with 2FA via YubiKey, so don't get smart on me and keep mentioning Keepass). The point is that I want to stretch an easy to remember brain password into a long key for use with AES encryption which I will only use on a couple of files that are important to me.
|
|
#
¿
Nov 20, 2015 21:16
|
|
|
No it doesn't help. This helps: Is the use of a long string of pseudo-random digits as a key for AES encryption more secure than a short password that one can remember? Answer me that and you'd be helping. x
|
|
#
¿
Nov 20, 2015 21:37
|
|
|
Thanks for the last few replies. Entropy is an interesting concept. I'll keep my particular case simple. Here's what I think I should do: 1. Hash the simple password that's only in my head. Lets say my password is this car registration: "E207HVT". 2. SHA256 of E207HVT=baff2ddde4043bfcfe6dbf67ecfca2b5f8a3a90e7b4939632ce82565c3fe25b2 3. Encrypt the file using AES using the hash of simple brain password and store the file onto SSD/USB/whatever. I get burgled and the thief is quite good with computers, but no genius. The thief now has to try and brute-force a 64 character string, rather than a 7 character string. Am I doing it right?
|
|
#
¿
Nov 20, 2015 22:38
|
|
|
What you've mentioned there, dougdrums and Antillie, were my concerns about just using a hash. Particularly about the thief knowing about hashing and trying various hash algo's during the brute-force attempt. From the bits and bobs I have read, PBKDF2 and bcrypt are better than simple hashing because they utilize CPU and RAM more when doing a calculation. So if the attacker's PC is capable of performing a SHA256 hash in 0.001 seconds it might take the same PC 0.1 seconds to perform a PBKDF2 function. When you consider the number of permutations that the attacker has to generate before he/she finds the key that can make a major difference in time. I can only guess, but the difference between using a simple hash and PBKDF2 to find a 20 character password might be a difference of taking a few hours to a few years if each calculation is 100 times slower.
|
|
#
¿
Nov 20, 2015 23:12
|
|
|
Thanks for the advice OSI bean dip. I was just giving VeraCrypt a try out and pretty impressed until you said TrueCrypt wasn't trustworthy :/ I liked the PIM function, which does a similar thing to what I mentioned earlier about using CPU intensive iterations to make it hard for an attacker to quickly decrypt. This is basically what I'm looking for, I think: an alternative to hashing that stresses the CPU and RAM.
|
|
#
¿
Nov 20, 2015 23:35
|
|
|
Which is the preferred version if I were to start using keepass on Linux and a copy of my vault on an android phone: keepass or keepassx? Hmm. I see there is also a keepass 1 and keepass 2. DeaconBlues fucked around with this message at 21:02 on Dec 23, 2015 |
|
#
¿
Dec 23, 2015 20:56
|
|
|
Is the Password Safe file encrypted? Could always Google Drive it for access across devices.
|
|
#
¿
Dec 29, 2015 01:58
|
|
|
https://www.dyne.org/software/tomb/ Any analysis/criticism/props for tomb? I haven't used it yet. Apparently you can wrap it around luks and in certain applications you can also retrieve your key file over a network and pipe it in during mount, which saves storing the key on the same device as the encryption container. Seems like a neat idea.
|
|
#
¿
Jan 22, 2016 05:49
|
|
|
What's the consensus about the news that WhatsApp (a company owned by Facebook, nonetheless) now has secure end to end encryption? The encryption may be provided by Open Whisper Systems but there's a bunch of proprietary code bundled in there, too. Is now more trustworthy than the likes of Telegram (which also uses proprietary software in 'default' server side encryption mode)? Is there a way that the core software could contain some kind of universal decryption method? Or are they keeping the core proprietary purely to retain ownership (and thus retain value)? Could anything closely tied to Facebook be a genuine attempt at global privacy? Is it a honeypot? So many questions I couldn't hope to answer, so over to you...
|
|
#
¿
Apr 17, 2016 19:13
|
|
|
I'm not a WhatsApp user and only found out about the default end to end encryption today. I'm just a bit incredulous that a mega corp would make a bold move like this and I wanted to read some knowledgeable opinions before I start using WhatsApp (more than likely just message my mum which films she wants me to torrent, ha ha). Isn't it a little crazy for such an institution like WhatsApp (and by proxy, Facebook) to hold two fingers up to those who want freedom to freely investigate terrorism? Perhaps they've been inspired by the Apple/FBI debacle.
|
|
#
¿
Apr 17, 2016 19:32
|
|
|
So are you saying that the kudos (or 'cool factor') they receive for providing such a service (if it is trustworthy) is worth the possibility of putting the government and/or legal system's noses out of joint? Like how Apple gained respect (from a lot of quarters, maybe not everyone but I'd say a majority) due to standing up for privacy.
|
|
#
¿
Apr 17, 2016 19:48
|
|
|
Adix posted:I'm going off half-remembered posts from fb people in yospos but I think it boiled down to "we have the ability, and therefore responsibility, to lose targeted ads to prevent targeted bullets for a segment of people" I'm interested in the technical side of this, put into simple terms. I'll have a look in yospos. Thanks.
|
|
#
¿
Apr 17, 2016 20:04
|
|
|
That sums up my hesitation/reluctance to install it. Too good to be true.
|
|
#
¿
Apr 17, 2016 20:59
|
|
|
I wouldn't have a clue what to look for in a bunch of decompiled c, so the basis of my assumption is sociological: Facebook is part of the status quo, and makes a pretty penny from being there. Why would they want to upset that balance by offering 'true' unbreakable end to end private messaging and also open up possibilities where they have to defend themselves against gov/FBI/yadda?
|
|
#
¿
Apr 22, 2016 15:24
|
|
|
I was responding to the replies suggesting that it may be stupid to question whether the service is completely private. Thanks for the info regarding Facebook setting up philanthropic services.
|
|
#
¿
Apr 22, 2016 16:27
|
|
|
Thanks. That looks interesting to a non programmer like myself. Added to my podcast player.
|
|
#
¿
Apr 23, 2016 05:58
|
|
|
The last hundred or so posts in this thread have been a great read. What are the opinions on torrenting movie files and TV shows? Is there possibility of code execution in popular video file containers? It's a long time since I realised the idiocy in using pirate software from torrents, and as recently as couple of years ago I was happy to get free Windows activation by using a dodgy bootloader. Times have changed and I'd like to think I'm less slapdash these days, but it's so convenient to grab a copy of that TV show you missed.
|
|
#
¿
May 3, 2016 21:20
|
|
|
Thanks for the replies regarding media files. It seems that the best strategy is to choose your media player carefully, stick to one or two media players and keep them up to date.
|
|
#
¿
May 4, 2016 04:51
|
|
|
Well I want to be able to watch an mkv/play an mp3 on my desktop PC the same as most people. I don't want to fire up a VM to do that. I suppose it comes down to accepting that it's not watertight security and if I'm using a torrent that's a popular TV programme then I'm not the only one that's gonna be susceptible and there's likely to be a buzz about a recent exploit on the Web.
|
|
#
¿
May 4, 2016 05:44
|
|
|
Stanley Pain posted:Pay for you Movies / TV Shows then I don't believe that everyone in this thread pays for all of their media, even the most security conscious. ;-)
|
|
#
¿
May 4, 2016 12:18
|
|
|
I guess it's moot whether I torrent, you torrent or anyone else in the thread torrent's movies. I was interested in finding out if there was a real threat from manipulated video files. It seems that that attack vector is very much an ongoing possibility.
|
|
#
¿
May 4, 2016 20:17
|
|
|
Is Norton/Symantec actually widely used in Linux land? I'm using Linux with no AV, although I'd go for clam or Sophos if I wanted it, since those are the ones I've heard of people using on Linux.
|
|
#
¿
May 17, 2016 14:06
|
|
|
Diceware FTW. Just pick a length that suits your particular application.
|
|
#
¿
Aug 20, 2016 22:18
|
|
|
|
| # ¿ May 3, 2024 06:58 |
|
|
angry armadillo posted:True. I'm heading out there for some work and wondered if the Government IT security people have as high standards as they do in the UK or will my life be easier over there The Risky Business podcast is hosted by an Australian guy, and he seems pretty knowledgeable and on the ball when it comes to security. Take a listen to the latest ep and the first five minutes should give you an idea: http://risky.biz/
|
|
#
¿
Aug 26, 2016 22:13
|
|
