[prev in list] [next in list] [prev in thread] [next in thread]
List: gentoo-user
Subject: Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
From: Michael <confabulate () kintzios ! com>
Date: 2023-09-20 12:28:09
Message-ID: 9224264.rMLUfLXkoz () lenovo
[Download RAW message or body]
On Wednesday, 20 September 2023 05:19:18 BST Dale wrote:
> Michael wrote:
> > On Tuesday, 19 September 2023 06:36:13 BST Dale wrote:
> >> Heck, a link to some good info on that would be good. :-)
> >
> > https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/FAQ.md
> >
> > https://gitlab.com/cryptsetup/cryptsetup/wikis/LUKS-standard/on-disk-forma
> > t.pdf
> >
> > https://wiki.archlinux.org/title/Data-at-rest_encryption
>
> Oops. Should have sent this in other message.
>
> Interesting links. Some of the info I'm clueless. I don't know some of
> the terms and what they mean. Some of it I get tho. Basically, despite
> people wanting to encrypt to protect data, some powerful entities can
> still crack it no matter how good the password or phrase is. It seems
> encryption done 'on the fly' I think is the phrase they use is just very
> hard to do without some serious CPU power or other tools. Am I getting it?
Security can be compromised because people use easy to guess passwords, or by
using side-channel attack methods. As Snowden mentioned, if you rely on a low
entropy device, e.g. a mobile phone, on which the base frequency can also be
compromised, then that could be the weakest link for an attack. Not to
mention keyloggers and various MITM attacks, which on phones at least are
rumoured to be the way to compromise a device. Cracking algos and ciphers is
computationally more expensive, performed offline and probably the last
resort. That said, if you assume state actors are at least 10 years ahead of
you in terms of technological solutions and resources, you'd be at the right
ballpark.
> I have a question tho. Can a person use a password/pass phrase that is
> like this: 'This is a stupid pass phrase.' Does it accept that even
> with spaces? I know file names can have spaces for a long while now but
> way back, you couldn't do that easily. One had to use dashes or
> underscores. Uses spaces could open a few options.
Generally speaking space characters are a poor choice for randomness. I
recall seeing some documentary about the Enigma machine used by the German
military during the 2nd WW. To minimise attempts to brute force the
ciphertext, they started by identifying which letter(s) were most frequently
used in the German language - e.g. the letter "e", then the second most
frequent letter and so on. This statistical analysis approach in combination
with likely message content reduced the number of guesses. In principle, a
repeated space character in your passphrase could help reduce the
computational burden of an offline brute force attack, by e.g. helping an
attacker to identify the number of individual words in a passphrase. All
these passphrases and whatever other private info you pasted into different
websites could also be harvested and used to determine some statistical
pattern in your selected passphrases. However, different ciphers and stronger
keys guard against easy cracking by brute force.
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic