Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
On Sat, Sep 23, 2023 at 11:05 AM Dale wrote: > > I'm not to clear on this but it looks like it is using 'aes-xts-plain64' > to me. If so, is that good enough? Is there better? You are using the defaults, which is what you should be using, as they're very secure. As far as I'm aware there is no known attack on AES that is faster than a brute force attack, and a brute-force attack on AES itself is not practical. I think it is unlikely that anybody knows of an attack on the cipher, but of course that cannot be ruled out. Current estimates of the time required to brute-force AES are in the billions of years. If somebody wanted to decrypt the drive without your knowledge, the only practical attacks would be to evesdrop on you somehow to capture your passphrase, or to brute force your passphrase. LUKS is designed to make a brute-force attack on a passphrase impractical as long as it is reasonably long. On typical hardware it should take a full second or two to make one decryption attempt on the passphrase - obviously an attacker could have more sophisticated hardware available but to even be able to attempt tens of thousands of guesses per second would require a very large expense, and your passphrase should be long enough to make that search very long. The most likely attack would be evesdropping. Stopping that requires good physical security, and also keeping any malware out of your bootloader. Unfortunately, the latter is generally not something linux distros do much to prevent. Corporate laptops running windows are typically set up to protect against this using a TPM and secure boot. I'm not sure if any linux distros support a fully signed boot processes up to disk decryption - doing that on Gentoo would be tricky since the OS is being modified so often. A release-based distro could do it a bit more easily - just stick the essential bits in a squashfs and sign everything up to that point, and use secure boot. Then of course if an attacker didn't mind you knowing about their intrusion, they could use the rubber hose method. The only way to defeat that sort of thing is to have some trusted external agent involved in the process who could revoke your own access to your device (think TPM and remote attestation to secure the boot chain plus online authentication required for the device to obtain the session key - though at that point you'd probably also just run a thin client and keep the bulk of the data someplace more secure). -- Rich
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
Den 23.09.2023 15:42, skrev Dale: Wols Lists wrote: On 19/09/2023 10:13, Dale wrote: That's a interesting way to come up with passwords tho. I've seen that is a few whodunit type shows. Way back in the old days, they had some interesting ways of coding messages. Passwords are sort of similar. Back when we were busy conquering India ... The story goes of a General trying to send a message back of his latest conquest, but he didn't want to use codes because he had a suspicion the Indians could read them if his messenger was captured. It appears the story is apocryphal, but the message he sent read "peccavi". https://www.ft.com/content/49036e66-ac48-11e8-94bd-cba20d67390c Cheers, Wol It seems that requires a subscription. Oh well. Try https://www.euronews.com/culture/2023/02/17/culture-re-view-peccavi-a-misattributed-quote-and-the-british-raj Probably ripped off from FT, but I was curious :-) .
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
Wol wrote: > On 23/09/2023 14:35, Dale wrote: >> Another question. Are people trying to work on better encryption >> given current encryption can be cracked? I read some things changed >> after Snowden. I'm just not sure what and if more changes are needed >> even today. > >> If you wanted the most secure and hard to crack encryption, what >> would you use? How does one tell cryptsetup to use it? I have >> several encryption options here but no idea what is the best or even >> just good. > > If you want encryption that can't be cracked, go for RSA. It's > uncrackable. > > Now you might be wondering why I say that, given that is a simple, > well-known attack, but it's true. You can trick me into encoding as > much plain text as you like, where you can intercept the cipher text, > and you will not be able to crack the cipher itself. What you need to > do is get hold of ONE of my key-pairs. The public one of course is > usually freely available, and if you get hold of the private one it's > game over. > > You can then mathematically solve "the puzzle of the keys" from my > public pair and recover the private key. This is why RSA keys keep > getting bigger - it takes more and more brute force to solve. > > I don't know enough about ECC - do you crack it or solve it? > > Both these ciphers however have a massive weakness - make a mistake > setting them up and the solution becomes easy. RSA relies on > multiplying two huge primes together. Dunno what ECC relies on. If one > of your RSA primes is not, in fact, prime then factoring the huge > product becomes easy, and recovering all the keys built from it is > simple. > > ECC specifies various parameters, and the official standard ECC > parameters were discovered to contain a flaw. Was that an intentional > back door? It's thought it was an accident. > > But I think cryptographers have abandoned crackable ciphers now - if > it's crackable then it's easily crackable. And all other ciphers > simply rely on the asymmetric effort taken to create a key or solve a > key. > > Cheers, > Wol > > When I run cryptsetup to encrypt my drives, I have no idea what it is using. I assumed the defaults would be the most secure. This is the luksDump info, some may be changed or snipped, not sure if it is something I should make public. ;-) root@fireball / # cryptsetup luksDump /dev/sdo1 LUKS header information Version: 2 Epoch: 3 Metadata area: 16384 [bytes] Keyslots area: 1678 [bytes] UUID: 967257e5-ccc8-48ab-8f46-c6b05dc3bf37 Label: (no label) Subsystem: (no subsystem) Flags: (no flags) Data segments: 0: crypt offset: 16777216 [bytes] length: (whole device) cipher: aes-xts-plain64 sector: 4096 [bytes] SNIP Digests: 0: pbkdf2 Hash: sha256 Iterations: 83062 Salt: 20 d5 f5 3b 51 43 31 29 8a b0 31 dc ad 56 0c 15 50 18 aa f8 df a0 4e 9e 8e e1 b2 bb f1 04 67 01 Digest: 96 18 90 9e 89 7a 16 71 72 d0 97 ec 84 e1 b5 38 fc cb ea 97 93 29 19 4c 83 a6 fb 4e e9 ba 79 7b root@fireball / # I'm not to clear on this but it looks like it is using 'aes-xts-plain64' to me. If so, is that good enough? Is there better? While I'm mostly worried about someone maybe stealing my rig, I also don't want someone with some skills getting in there either. Some crooks may know someone. ;-) Dale :-) :-)
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
On 23/09/2023 14:35, Dale wrote: Another question. Are people trying to work on better encryption given current encryption can be cracked? I read some things changed after Snowden. I'm just not sure what and if more changes are needed even today. If you wanted the most secure and hard to crack encryption, what would you use? How does one tell cryptsetup to use it? I have several encryption options here but no idea what is the best or even just good. If you want encryption that can't be cracked, go for RSA. It's uncrackable. Now you might be wondering why I say that, given that is a simple, well-known attack, but it's true. You can trick me into encoding as much plain text as you like, where you can intercept the cipher text, and you will not be able to crack the cipher itself. What you need to do is get hold of ONE of my key-pairs. The public one of course is usually freely available, and if you get hold of the private one it's game over. You can then mathematically solve "the puzzle of the keys" from my public pair and recover the private key. This is why RSA keys keep getting bigger - it takes more and more brute force to solve. I don't know enough about ECC - do you crack it or solve it? Both these ciphers however have a massive weakness - make a mistake setting them up and the solution becomes easy. RSA relies on multiplying two huge primes together. Dunno what ECC relies on. If one of your RSA primes is not, in fact, prime then factoring the huge product becomes easy, and recovering all the keys built from it is simple. ECC specifies various parameters, and the official standard ECC parameters were discovered to contain a flaw. Was that an intentional back door? It's thought it was an accident. But I think cryptographers have abandoned crackable ciphers now - if it's crackable then it's easily crackable. And all other ciphers simply rely on the asymmetric effort taken to create a key or solve a key. Cheers, Wol
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
Wols Lists wrote: > On 19/09/2023 10:13, Dale wrote: >> That's a interesting way to come up with passwords tho. I've seen that >> is a few whodunit type shows. Way back in the old days, they had some >> interesting ways of coding messages. Passwords are sort of similar. > > Back when we were busy conquering India ... > > The story goes of a General trying to send a message back of his > latest conquest, but he didn't want to use codes because he had a > suspicion the Indians could read them if his messenger was captured. > > It appears the story is apocryphal, but the message he sent read > "peccavi". > > https://www.ft.com/content/49036e66-ac48-11e8-94bd-cba20d67390c > > Cheers, > Wol > > It seems that requires a subscription. Oh well. Dale :-) :-)
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
Wols Lists wrote: > On 20/09/2023 19:05, Frank Steinmetzger wrote: >>> In principle, a repeated space character in your passphrase could help >>> reduce the computational burden of an offline brute force attack, by >>> e.g. >>> helping an attacker to identify the number of individual words in a >>> passphrase. > >> Due to the rotation, the Enigma encoded each subsequent letter >> differently, >> even if the same one repeated, which was (one of) the big strengths >> of the >> Enigma cipher. The flaws were elsewhere, for example that a character >> could >> never be encrypted onto itself due to the internal wiring and certain >> message parts were always the same, like message headers and greetings. > > And, as always, one of the biggest weaknesses was the operator. > > Enigma had three (or in later versions four) rotors. The code book > specified the INITIAL "settings of the day" for those rotors. What was > *supposed* to happen was the operator was supposed to select a random > three/four character string, transmit that string twice, then reset > the rotors to that string before carrying on. So literally no two > messages were supposed to have the same settings beyond the first six > characters. > > Except that a lot of operators re-used the same characters time and > time again. So if you got a message from an operator you recognised, > you might well know his "seventh character reset". That saved a lot of > grief trying to crack which of the several rotors were "the rotors of > the day". > > And given that, for a large chunk of the war, the radio operators were > "chatty", you generally got a lot of six-character strings for which > you had a damn good idea what the plain text was. > > So even where some of the operators were seriously crypto-aware and > careful, once you'd cracked the rotors and initial settings from the > careless, you could read every message sent by everyone (using those > settings) that day. > > Along with other things like RDF giving subs positions away (although > I'm not quite sure how much we had good RDF and how much it was a > cover for us reading their location in status reports), it certainly > helped us loads hunting them down. > > Cheers, > Wol > > Another question. Are people trying to work on better encryption given current encryption can be cracked? I read some things changed after Snowden. I'm just not sure what and if more changes are needed even today. If you wanted the most secure and hard to crack encryption, what would you use? How does one tell cryptsetup to use it? I have several encryption options here but no idea what is the best or even just good. I'm making pepper sauce today. I hope this typing is OK. The air has a spicy warmth to it. o_O Dale :-) :-)
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
On 19/09/2023 10:13, Dale wrote: That's a interesting way to come up with passwords tho. I've seen that is a few whodunit type shows. Way back in the old days, they had some interesting ways of coding messages. Passwords are sort of similar. Back when we were busy conquering India ... The story goes of a General trying to send a message back of his latest conquest, but he didn't want to use codes because he had a suspicion the Indians could read them if his messenger was captured. It appears the story is apocryphal, but the message he sent read "peccavi". https://www.ft.com/content/49036e66-ac48-11e8-94bd-cba20d67390c Cheers, Wol
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
On 20/09/2023 19:05, Frank Steinmetzger wrote: In principle, a repeated space character in your passphrase could help reduce the computational burden of an offline brute force attack, by e.g. helping an attacker to identify the number of individual words in a passphrase. Due to the rotation, the Enigma encoded each subsequent letter differently, even if the same one repeated, which was (one of) the big strengths of the Enigma cipher. The flaws were elsewhere, for example that a character could never be encrypted onto itself due to the internal wiring and certain message parts were always the same, like message headers and greetings. And, as always, one of the biggest weaknesses was the operator. Enigma had three (or in later versions four) rotors. The code book specified the INITIAL "settings of the day" for those rotors. What was *supposed* to happen was the operator was supposed to select a random three/four character string, transmit that string twice, then reset the rotors to that string before carrying on. So literally no two messages were supposed to have the same settings beyond the first six characters. Except that a lot of operators re-used the same characters time and time again. So if you got a message from an operator you recognised, you might well know his "seventh character reset". That saved a lot of grief trying to crack which of the several rotors were "the rotors of the day". And given that, for a large chunk of the war, the radio operators were "chatty", you generally got a lot of six-character strings for which you had a damn good idea what the plain text was. So even where some of the operators were seriously crypto-aware and careful, once you'd cracked the rotors and initial settings from the careless, you could read every message sent by everyone (using those settings) that day. Along with other things like RDF giving subs positions away (although I'm not quite sure how much we had good RDF and how much it was a cover for us reading their location in status reports), it certainly helped us loads hunting them down. Cheers, Wol
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
On 19/09/2023 10:10, Jude DaShiell wrote: Once the set spots got figured five dice got used for letters add the total and subtract 4 for the particular letter. Which actually isn't random. It's a bell curve peaking probably between J and M. Think, if you throw 2 dice, there are 36 possible combinations. Only one of them generates 2, only one generates 12, but 6 combinations can generate 7. Cheers, Wol
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
Am Wed, Sep 20, 2023 at 01:28:09PM +0100 schrieb Michael: > > I have a question tho. Can a person use a password/pass phrase that is > > like this: 'This is a stupid pass phrase.' Does it accept that even > > with spaces? I know file names can have spaces for a long while now but > > way back, you couldn't do that easily. One had to use dashes or > > underscores. Sure, why not? It’s a string like any other. No spaces in filenames where a restriction of (now outdated) file systems. And I guess developers didn’t account for them back in those days (and later out of habit). When I used DOS, of course I adhered to the 8.3 rule. But ever since I started using Windows, XP at the latest (2001), I wholly started using spaces everywhere and never looked back. The programs that had problems with spaces were few and script authors should just adhere to best practices and put filename variables in quotes, so they can work with spaces. The only nuissance they pose for me is it may make tab completion cumbersome sometimes. PS.: I find underscores ugly. :D > Generally speaking space characters are a poor choice for randomness. I > recall seeing some documentary about the Enigma machine used by the German > military during the 2nd WW. To minimise attempts to brute force the > ciphertext, they started by identifying which letter(s) were most frequently > used in the German language - e.g. the letter "e", then the second most > frequent letter and so on. This statistical analysis approach in combination > with likely message content reduced the number of guesses. Here you speak of the payload, not the passphrase, which is the encyption key. The key was rotated after each character and the initial key setting (the tumbler position) was distributed in secret code books. > In principle, a repeated space character in your passphrase could help > reduce the computational burden of an offline brute force attack, by e.g. > helping an attacker to identify the number of individual words in a > passphrase. Due to the rotation, the Enigma encoded each subsequent letter differently, even if the same one repeated, which was (one of) the big strengths of the Enigma cipher. The flaws were elsewhere, for example that a character could never be encrypted onto itself due to the internal wiring and certain message parts were always the same, like message headers and greetings. For LUKS, having spaces in your passphrase (or their frequency) has no influence on the ciphertext, since the passphrase itself is not used for encryption. The passphrase only unlocks the actual key, which is then used for encryption. It comes down to whether the passphrase can easily be guessed by dictionary attacks. So if you write normal sentences with correctly written words, they might be easy to crack. I don’t expect it makes a big difference to the brute force software whether you use spaces or not. -- Grüße | Greetings | Salut | Qapla’ Please do not share anything from, with or about me on any social network. Suicide is the most honest form of self-criticism. signature.asc Description: PGP signature
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
Another possibility is to write down encrypted passwords and don't disclose encryption technique. The rot13 is worthless. -- Jude "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." Ed Howdershelt 1940. On Wed, 20 Sep 2023, Hoël Bézier wrote: > Am Tue, Sep 19, 2023 at 12:36:13AM -0500 schrieb Dale: > >In the real world tho, how do people reading this make passwords that no > >one could ever guess? I use Bitwarden to handle website passwords and > >it does a good job. I make up my own tho when encrypting drives. I'm > >not sure I can really use Bitwarden for that given it is a command line > >thing, well, in a script in my case. I doubt anyone would ever guess > >any of my passwords but how do people reading this do theirs? Just how > >far do you really go to make it secure? Obviously you shouldn't give up > >much detail but just some general ideas. Maybe even a example or two of > >a fake password, just something that you would come up with and how. > > For storing passwords, I use app-admin/pass. > > For choosing passphrases, I write sentences. I know having space character at > a predictable frequence in the passphrase makes it easier to find out, but > using phrases makes it easier to come up with very long passphrases (which, I > believe, balances the space thing, though I’m no crypto expert), which are > also easy to remember. > > Hoël > >
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
On 9/20/23 12:18, Hoël Bézier wrote: Am Tue, Sep 19, 2023 at 12:36:13AM -0500 schrieb Dale: In the real world tho, how do people reading this make passwords that no one could ever guess? I use Bitwarden to handle website passwords and it does a good job. I make up my own tho when encrypting drives. I'm not sure I can really use Bitwarden for that given it is a command line thing, well, in a script in my case. I doubt anyone would ever guess any of my passwords but how do people reading this do theirs? Just how far do you really go to make it secure? Obviously you shouldn't give up much detail but just some general ideas. Maybe even a example or two of a fake password, just something that you would come up with and how. For storing passwords, I use app-admin/pass. For choosing passphrases, I write sentences. I know having space character at a predictable frequence in the passphrase makes it easier to find out, but using phrases makes it easier to come up with very long passphrases (which, I believe, balances the space thing, though I’m no crypto expert), which are also easy to remember. I don't think anyone has yet mentioned using the first (or last or second) letter of each word in the first (or last) sentence of a favorite book or poem or song, possibly modifying with some upper case and sprinkling in digits and special characters.
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
Am Tue, Sep 19, 2023 at 12:36:13AM -0500 schrieb Dale: In the real world tho, how do people reading this make passwords that no one could ever guess? I use Bitwarden to handle website passwords and it does a good job. I make up my own tho when encrypting drives. I'm not sure I can really use Bitwarden for that given it is a command line thing, well, in a script in my case. I doubt anyone would ever guess any of my passwords but how do people reading this do theirs? Just how far do you really go to make it secure? Obviously you shouldn't give up much detail but just some general ideas. Maybe even a example or two of a fake password, just something that you would come up with and how. For storing passwords, I use app-admin/pass. For choosing passphrases, I write sentences. I know having space character at a predictable frequence in the passphrase makes it easier to find out, but using phrases makes it easier to come up with very long passphrases (which, I believe, balances the space thing, though I’m no crypto expert), which are also easy to remember. Hoël signature.asc Description: PGP signature
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
On Wednesday, 20 September 2023 05:19:18 BST Dale wrote: > Michael wrote: > > On Tuesday, 19 September 2023 06:36:13 BST Dale wrote: > >> Heck, a link to some good info on that would be good. :-) > > > > https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/FAQ.md > > > > https://gitlab.com/cryptsetup/cryptsetup/wikis/LUKS-standard/on-disk-forma > > t.pdf > > > > https://wiki.archlinux.org/title/Data-at-rest_encryption > > Oops. Should have sent this in other message. > > Interesting links. Some of the info I'm clueless. I don't know some of > the terms and what they mean. Some of it I get tho. Basically, despite > people wanting to encrypt to protect data, some powerful entities can > still crack it no matter how good the password or phrase is. It seems > encryption done 'on the fly' I think is the phrase they use is just very > hard to do without some serious CPU power or other tools. Am I getting it? Security can be compromised because people use easy to guess passwords, or by using side-channel attack methods. As Snowden mentioned, if you rely on a low entropy device, e.g. a mobile phone, on which the base frequency can also be compromised, then that could be the weakest link for an attack. Not to mention keyloggers and various MITM attacks, which on phones at least are rumoured to be the way to compromise a device. Cracking algos and ciphers is computationally more expensive, performed offline and probably the last resort. That said, if you assume state actors are at least 10 years ahead of you in terms of technological solutions and resources, you'd be at the right ballpark. > I have a question tho. Can a person use a password/pass phrase that is > like this: 'This is a stupid pass phrase.' Does it accept that even > with spaces? I know file names can have spaces for a long while now but > way back, you couldn't do that easily. One had to use dashes or > underscores. Uses spaces could open a few options. Generally speaking space characters are a poor choice for randomness. I recall seeing some documentary about the Enigma machine used by the German military during the 2nd WW. To minimise attempts to brute force the ciphertext, they started by identifying which letter(s) were most frequently used in the German language - e.g. the letter "e", then the second most frequent letter and so on. This statistical analysis approach in combination with likely message content reduced the number of guesses. In principle, a repeated space character in your passphrase could help reduce the computational burden of an offline brute force attack, by e.g. helping an attacker to identify the number of individual words in a passphrase. All these passphrases and whatever other private info you pasted into different websites could also be harvested and used to determine some statistical pattern in your selected passphrases. However, different ciphers and stronger keys guard against easy cracking by brute force. signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
Am 20.09.23 um 04:41 schrieb Dale: It is interesting what people can come up with. Thing is, if one uses a true random generated password, they are hard to crack but also hard to remember. I try to come up with something that will be hard to crack but easy for me to remember. If someone has a child one can always frame the first language test and put it at the wall in the office together with some family photos. Those spelling errors might not be random but for all practical use they are not predictable. One can always look it up. Just remember the line of the password. This is hidden in plain sight.
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
Michael wrote: > On Tuesday, 19 September 2023 06:36:13 BST Dale wrote: > >> Heck, a link to some good info on that would be good. :-) > https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/FAQ.md > > https://gitlab.com/cryptsetup/cryptsetup/wikis/LUKS-standard/on-disk-format.pdf > > https://wiki.archlinux.org/title/Data-at-rest_encryption Oops. Should have sent this in other message. Interesting links. Some of the info I'm clueless. I don't know some of the terms and what they mean. Some of it I get tho. Basically, despite people wanting to encrypt to protect data, some powerful entities can still crack it no matter how good the password or phrase is. It seems encryption done 'on the fly' I think is the phrase they use is just very hard to do without some serious CPU power or other tools. Am I getting it? I have a question tho. Can a person use a password/pass phrase that is like this: 'This is a stupid pass phrase.' Does it accept that even with spaces? I know file names can have spaces for a long while now but way back, you couldn't do that easily. One had to use dashes or underscores. Uses spaces could open a few options. Dale :-) :-)
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
Michael wrote: > On Tuesday, 19 September 2023 12:13:40 BST Dale wrote: >> H, >> >> For some reason, I didn't get Michael's email. I see him being quoted >> but don't have his original. I wonder what is up with that. O-o > Assuming you will receive this message, have a look here: > > https://marc.info/?l=gentoo-user=169511184714476=2 > > >> Rich Freeman wrote: >>> On Tue, Sep 19, 2023 at 4:26 AM Michael wrote: On Tuesday, 19 September 2023 06:36:13 BST Dale wrote: > Howdy, A strong password, like a strong door lock, buys you time. Hence the general recommendation to change your passwords frequently. >>> While that can help on websites, it is of no use for full disk >>> encryption passwords - at least not without jumping through some big >>> hoops. >>> >>> In order to crack your LUKS password somebody obviously needs to be >>> able to read the encrypted contents of your disk. They cannot begin >>> cracking it until they have a copy of the LUKS headers. However, once >>> they do have it, they can make a copy and crack it at their leisure. >>> If they manage to crack it, then it will give them the volume key. At >>> that point if they were able to make a full copy of your disk they can >>> read whatever was on it at the time. If they can make a fresh copy of >>> your disk then changing the passphrase will not change the volume key, >>> and so they'll be able to read what is currently on your disk. >>> >>> Changing the volume key would defeat this, but requires running >>> cryptsetup-reencrypt which will take considerable time/CPU, though it >>> sounds like it can be done online. >> Let's jump into a hypothetical here. Let's say I'm a nasty terrorist or >> some other really evil dude. Let's say I have passwords are that really >> good. Let's say around 20 characters and a really nice mix of >> characters. If some gov't agency got my hard drive, how long would it >> take for them to crack it? > A couple of minutes? > > https://xkcd.com/538/ > > :-) I did get this one. I also got the other message, I think at the same time. It sure did arrive late tho. I have mine set up to view as threads. This thread looked odd until it got the previous message. Must have got hung up somewhere. Maybe a server somewhere had to reboot and it took a while. ROFL I like the cartoon. In some countries, that would likely be a first option. :/ Dale :-) :-)
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
Jude DaShiell wrote: > I generate random passwords using dice. First and last characters in > passwords are letters that's arbitrary buys more time. Those should have > lengths over 13 and before the agency I used to work for went to > smartcards and 256 character random passwords their last standard was 16 > characters with minimum two symbols minimum two numbers minimum two > upper-case and minimum two lower-case. No dictionary words or keyboard > walking allowed. Firewall piercing with laptops got used regularly by > state actors and there is a firewall-piercing-howto file on the internet > for anyone interested. > The remaining characters first got their sets chosen. A 1 on dice picked > a number for that spot and a 6 picked a symbol. Two or 3 picked an > upper-case and 4 or 5 picked a lower-case. Once the set spots got figured > five dice got used for letters add the total and subtract 4 for the > particular letter. three dice got used for symbols with a single dice > roll of either odd for first 16 symbols or even single dice roll for > second 16 symbols. Your choice as to put which 16 symbols in the even and > odd sets those could be randomized. Numbers used two dice with 2 > subtracted from total and a 2 rolled with the dice returned a 0. Slow and > necessary to write worksheet down as dice rolling proceeded and password > needed writing down on completion. Since I do most of my writing in > braille I have a good encryption system I can encrypt further by using the > old English braille instead of the American braille. American braille has > dot arrangement 123 down left side of cell for reading and 4 5 6 down > right side of cell for reading. English braille has 1 3 5 down the left > side and 2 4 6 down the right side of the cell for reading. Those are dot > number arrangements. Braille readers on this list I expect maybe only one > other will understand what I just wrote. > > > -- Jude "There are four boxes to be used in > defense of liberty: soap, ballot, jury, and ammo. Please use in that > order." Ed Howdershelt 1940. It is interesting what people can come up with. Thing is, if one uses a true random generated password, they are hard to crack but also hard to remember. I try to come up with something that will be hard to crack but easy for me to remember. Thing is, I do have a few passwords to keep up with. I recently changed my root password. I plan to change my user password soon. Then I have the password for Bitwarden. Then I have the password for the NAS, three external hard drives with different passwords for each etc. That's a lot to remember. To be honest, it's getting to be a bit much. Associating one password to one item is also difficult. Unless one leaves clues. Thing is, those clues reveal things as well. For websites, I really like Bitwarden. I remember one password and it can generate passwords for all the websites I use. The passwords it generates are pretty random. For sites that don't allow symbols, I can turn that off. The big point, I only remember one password. Thing is, on one hand I need help remembering all these passwords. On the other hand, that is a risk itself. This reminds me of a tennis ball. It just goes back and forth. Dale :-) :-) > On Tue, 19 Sep 2023, Michael wrote: > >> On Tuesday, 19 September 2023 06:36:13 BST Dale wrote: >>> Howdy, >>> >>> As some know, I encrypt a lot of stuff here. I use passwords that I can >>> recall but no one could ever guess. I don't use things that someone may >>> figure out like pet's name or anything like that. I use a couple sites >>> to see just how good my passwords are. I try to get into the millions >>> of years at least. I have a couple that it claims is in the trillions >>> of years to crack. I've read some things not to use like pet names and >>> such. I've also read that one should use upper and lower case letters, >>> symbols and such and I do that, especially on my stuff I never want to >>> be cracked. Some stuff, when I'm dead, it's gone. >> As/when quantum computers development progresses, many/some passwords and >> hashes will be cracked/brute forced (RSA encryption springs to mind). It is >> best if you can think of any password as keeping your door and windows >> locked. >> They will stop most opportunistic attempts, but not anyone who is determined >> to break in. It is unlikely your passwords will stop state actors. A strong >> password, like a strong door lock, buys you time. Hence the general >> recommendation to change your passwords frequently. >> >> >>> In the real world tho, how do people reading this make passwords that no >>> one could ever guess? >> You can use gpg, or openssl, or app-admin/apg, or app-admin/pwgen, to >> generate >> random enough strings to use as passwords. They will be difficult to guess, >> but will be VERY difficult to remember. You'll have to store them offline >> and/or protect them in turn with some master passphrase
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
Am 19.09.23 um 13:47 schrieb Michael: A couple of minutes? https://xkcd.com/538/ Most crypto nerds have a wrench at home. The gov. can even save those 5$. :-)
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
On Tuesday, 19 September 2023 12:13:40 BST Dale wrote: > H, > > For some reason, I didn't get Michael's email. I see him being quoted > but don't have his original. I wonder what is up with that. O-o Assuming you will receive this message, have a look here: https://marc.info/?l=gentoo-user=169511184714476=2 > Rich Freeman wrote: > > On Tue, Sep 19, 2023 at 4:26 AM Michael wrote: > >> On Tuesday, 19 September 2023 06:36:13 BST Dale wrote: > >>> Howdy, > >> > >> A strong > >> password, like a strong door lock, buys you time. Hence the general > >> recommendation to change your passwords frequently. > > > > While that can help on websites, it is of no use for full disk > > encryption passwords - at least not without jumping through some big > > hoops. > > > > In order to crack your LUKS password somebody obviously needs to be > > able to read the encrypted contents of your disk. They cannot begin > > cracking it until they have a copy of the LUKS headers. However, once > > they do have it, they can make a copy and crack it at their leisure. > > If they manage to crack it, then it will give them the volume key. At > > that point if they were able to make a full copy of your disk they can > > read whatever was on it at the time. If they can make a fresh copy of > > your disk then changing the passphrase will not change the volume key, > > and so they'll be able to read what is currently on your disk. > > > > Changing the volume key would defeat this, but requires running > > cryptsetup-reencrypt which will take considerable time/CPU, though it > > sounds like it can be done online. > > Let's jump into a hypothetical here. Let's say I'm a nasty terrorist or > some other really evil dude. Let's say I have passwords are that really > good. Let's say around 20 characters and a really nice mix of > characters. If some gov't agency got my hard drive, how long would it > take for them to crack it? A couple of minutes? https://xkcd.com/538/ :-) signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
Jude DaShiell wrote: > another possibility is use of a dictionary. Find a word in dictionary > note page column and line. Divide pages in dictionary by 2 and either add > or subtract that number of pages to or from page word is found on then on > the new page find the column and line for your actual password. Of > course, you write the first word you looked up down as your password and > not the second word you just found you use for your real password. > > > -- Jude "There are four boxes to be used in > defense of liberty: soap, ballot, jury, and ammo. Please use in that > order." Ed Howdershelt 1940. > > I think I've seen that used for messages ages ago. It's a way of sending info that without knowing how to decode it and the same version of dictionary, you have no idea what it says. Just don't lose the book you use. The responses I'm getting sure are interesting. Some I've seen but never thought of using myself. After all, it was a TV show, sometimes a history documentary or something. Reading about it here, it makes sense. Oh, like the signature too. ;-) Dale :-) :-)
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
H, For some reason, I didn't get Michael's email. I see him being quoted but don't have his original. I wonder what is up with that. O-o Rich Freeman wrote: > On Tue, Sep 19, 2023 at 4:26 AM Michael wrote: >> On Tuesday, 19 September 2023 06:36:13 BST Dale wrote: >>> Howdy, >>> >> A strong >> password, like a strong door lock, buys you time. Hence the general >> recommendation to change your passwords frequently. > While that can help on websites, it is of no use for full disk > encryption passwords - at least not without jumping through some big > hoops. > > In order to crack your LUKS password somebody obviously needs to be > able to read the encrypted contents of your disk. They cannot begin > cracking it until they have a copy of the LUKS headers. However, once > they do have it, they can make a copy and crack it at their leisure. > If they manage to crack it, then it will give them the volume key. At > that point if they were able to make a full copy of your disk they can > read whatever was on it at the time. If they can make a fresh copy of > your disk then changing the passphrase will not change the volume key, > and so they'll be able to read what is currently on your disk. > > Changing the volume key would defeat this, but requires running > cryptsetup-reencrypt which will take considerable time/CPU, though it > sounds like it can be done online. > Let's jump into a hypothetical here. Let's say I'm a nasty terrorist or some other really evil dude. Let's say I have passwords are that really good. Let's say around 20 characters and a really nice mix of characters. If some gov't agency got my hard drive, how long would it take for them to crack it? I know when Snowden released all that info, there was some changes to encryption. Still, do they have the ability to crack them without much trouble? Is there something better to use than what I'm using now? I might add, when I configured my three drive setup, I sort of did it a different way. I still used cryptsetup but I used it later in the process. I also made sure to put the luks bit in. That way I can change passwords if needed. I found a new howto and it seems to end the same way but it's done in layers. Luks first and then encryption but different somehow. Mostly, I can change passwords on it. I don't really get the whole thing, yet. If I read it enough, my light bulb will come on. o_O > >>> Also, I use cryptsetup luksFormat -s 512 ... to encrypt things. Is >>> that 512 a good number? Can it be something different? I'd think since >>> it is needed as a option, it can have different values and encrypt >>> stronger or weaker. Is that the case? I've tried to find out but it >>> seems everyone uses 512. If that is the only value, why make it a >>> option? I figure it can have other values but how does that work? > You can use a different size, but 512b is the recommended value for > the default cipher. It is also the default I believe, so there isn't > much point in passing it. Actually, I'd consider passing that > parameter harmful unless you also specify the cipher. If in the > future the default changes to some other cipher, perhaps 512b will no > longer be appropriate, and you'll weaken it by specifying one and not > the other. > > If you just want to trust the defaults, then trust the defaults. > > As to why 512b is the recommendation, that seems like it would require > a LOT more reading. Apparently it is in an IEEE standard and I'd need > to grok a lot more crypto to appreciate it. > Well, I was wondering if it could be set to 1024 and it make the encryption stronger or something. I've searched but no one explains what that number really does other than set something. Since that is the default, I guess I can leave that out of my command. Save me some typing. Anyway, 512 it is. Dale :-) :-)
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
On Tue, Sep 19, 2023 at 4:26 AM Michael wrote: > > On Tuesday, 19 September 2023 06:36:13 BST Dale wrote: > > Howdy, > > > A strong > password, like a strong door lock, buys you time. Hence the general > recommendation to change your passwords frequently. While that can help on websites, it is of no use for full disk encryption passwords - at least not without jumping through some big hoops. In order to crack your LUKS password somebody obviously needs to be able to read the encrypted contents of your disk. They cannot begin cracking it until they have a copy of the LUKS headers. However, once they do have it, they can make a copy and crack it at their leisure. If they manage to crack it, then it will give them the volume key. At that point if they were able to make a full copy of your disk they can read whatever was on it at the time. If they can make a fresh copy of your disk then changing the passphrase will not change the volume key, and so they'll be able to read what is currently on your disk. Changing the volume key would defeat this, but requires running cryptsetup-reencrypt which will take considerable time/CPU, though it sounds like it can be done online. > > In the real world tho, how do people reading this make passwords that no > > one could ever guess? You didn't ask this question, but I'll just note that most organizations don't use human-readable passwords to implement full disk encryption. The most commonly used solution is to use a TPM to measure the boot process and secure the disk encryption keys. If the system is booted normally, the bootloader can read the encryption keys from the TPM and can decrypt the disk without any user interaction (or even awareness it is happening). If the system is booted from alternative media, or the on-disk bootloader is tampered with, or even if the firmware is tampered with, then the TPM measurements will not agree with those used to store the key, and the TPM will not allow the keys to be read. This is how solutions like Bitlocker work. The components for this exist in the Linux world, but I'm not aware of any distro/etc actually implementing this with a pretty front-end, and there are obviously details that need to be carefully handled so that a bootloader or firmware update doesn't render your disk unreadable. Typically software implementations have ways to store "recovery keys" for these situations (just another copy of the disk key stored outside the TPM). > You can use gpg, or openssl, or app-admin/apg, or app-admin/pwgen, to generate > random enough strings to use as passwords. You might want to also consider app-admin/xkcdpass > > Also, I use cryptsetup luksFormat -s 512 ... to encrypt things. Is > > that 512 a good number? Can it be something different? I'd think since > > it is needed as a option, it can have different values and encrypt > > stronger or weaker. Is that the case? I've tried to find out but it > > seems everyone uses 512. If that is the only value, why make it a > > option? I figure it can have other values but how does that work? You can use a different size, but 512b is the recommended value for the default cipher. It is also the default I believe, so there isn't much point in passing it. Actually, I'd consider passing that parameter harmful unless you also specify the cipher. If in the future the default changes to some other cipher, perhaps 512b will no longer be appropriate, and you'll weaken it by specifying one and not the other. If you just want to trust the defaults, then trust the defaults. As to why 512b is the recommendation, that seems like it would require a LOT more reading. Apparently it is in an IEEE standard and I'd need to grok a lot more crypto to appreciate it. -- Rich
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
another possibility is use of a dictionary. Find a word in dictionary note page column and line. Divide pages in dictionary by 2 and either add or subtract that number of pages to or from page word is found on then on the new page find the column and line for your actual password. Of course, you write the first word you looked up down as your password and not the second word you just found you use for your real password. -- Jude "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." Ed Howdershelt 1940. On Tue, 19 Sep 2023, hitachi303 wrote: > Am 19.09.23 um 07:36 schrieb Dale: > > Maybe even a example or two of a fake password, just something that you > > would come up with and how. > > > There was this TV series Sherlock. In one episode they communicated by numbers > where each number referred to a word in a book. This was somewhat also used in > a movie with Nicolas Cage where he is treasure hunting. > > For the passwords which matter this seems to be a quit good way. As long as > nobody guesses your book you can write down your passwords and look them up if > needed. Like 239/4 which would tell you to open page 239 and use word 4. Or > 239/4/3 -> page 239 line 4 word 3. > Then you start to make it difficult so that you don't just use words. Like > start with the first letter of the word than go backwards and use every second > letter until you habe 8 letters. Mix in a number for every third position. > You can change the rule as you like. Keep it always the same and you can look > your password up every time. In German there are quit a lot of capital letters > so just take them. > You can be creative as wild. Take a poem in middle age German and take only > the first an last letter from every line. Every third number from pi. Since > there is no pattern in pi this should be safe. > > Something like that. > >
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
hitachi303 wrote: > Am 19.09.23 um 07:36 schrieb Dale: >> Maybe even a example or two of a fake password, just something that >> you would come up with and how. > > > There was this TV series Sherlock. In one episode they communicated by > numbers where each number referred to a word in a book. This was > somewhat also used in a movie with Nicolas Cage where he is treasure > hunting. > > For the passwords which matter this seems to be a quit good way. As > long as nobody guesses your book you can write down your passwords and > look them up if needed. Like 239/4 which would tell you to open page > 239 and use word 4. Or 239/4/3 -> page 239 line 4 word 3. > Then you start to make it difficult so that you don't just use words. > Like start with the first letter of the word than go backwards and use > every second letter until you habe 8 letters. Mix in a number for > every third position. > You can change the rule as you like. Keep it always the same and you > can look your password up every time. In German there are quit a lot > of capital letters so just take them. > You can be creative as wild. Take a poem in middle age German and take > only the first an last letter from every line. Every third number from > pi. Since there is no pattern in pi this should be safe. > > Something like that. > > I like the Sherlock stuff. Everything from the black and white versions, 1950's, to the TV series Elementary which is more recent. That is a idea but I currently come up with them from things I have or weird things I won't forget. Models of vehicles or some other thing I have and will have for a long time. Some are a little short but those password sites say they are good strong passwords. That's a interesting way to come up with passwords tho. I've seen that is a few whodunit type shows. Way back in the old days, they had some interesting ways of coding messages. Passwords are sort of similar. I'll have to give that some thought. It's not how I usually do it but it is interesting. Thanks. Dale :-) :-)
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
I generate random passwords using dice. First and last characters in passwords are letters that's arbitrary buys more time. Those should have lengths over 13 and before the agency I used to work for went to smartcards and 256 character random passwords their last standard was 16 characters with minimum two symbols minimum two numbers minimum two upper-case and minimum two lower-case. No dictionary words or keyboard walking allowed. Firewall piercing with laptops got used regularly by state actors and there is a firewall-piercing-howto file on the internet for anyone interested. The remaining characters first got their sets chosen. A 1 on dice picked a number for that spot and a 6 picked a symbol. Two or 3 picked an upper-case and 4 or 5 picked a lower-case. Once the set spots got figured five dice got used for letters add the total and subtract 4 for the particular letter. three dice got used for symbols with a single dice roll of either odd for first 16 symbols or even single dice roll for second 16 symbols. Your choice as to put which 16 symbols in the even and odd sets those could be randomized. Numbers used two dice with 2 subtracted from total and a 2 rolled with the dice returned a 0. Slow and necessary to write worksheet down as dice rolling proceeded and password needed writing down on completion. Since I do most of my writing in braille I have a good encryption system I can encrypt further by using the old English braille instead of the American braille. American braille has dot arrangement 123 down left side of cell for reading and 4 5 6 down right side of cell for reading. English braille has 1 3 5 down the left side and 2 4 6 down the right side of the cell for reading. Those are dot number arrangements. Braille readers on this list I expect maybe only one other will understand what I just wrote. -- Jude "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." Ed Howdershelt 1940. On Tue, 19 Sep 2023, Michael wrote: > On Tuesday, 19 September 2023 06:36:13 BST Dale wrote: > > Howdy, > > > > As some know, I encrypt a lot of stuff here. I use passwords that I can > > recall but no one could ever guess. I don't use things that someone may > > figure out like pet's name or anything like that. I use a couple sites > > to see just how good my passwords are. I try to get into the millions > > of years at least. I have a couple that it claims is in the trillions > > of years to crack. I've read some things not to use like pet names and > > such. I've also read that one should use upper and lower case letters, > > symbols and such and I do that, especially on my stuff I never want to > > be cracked. Some stuff, when I'm dead, it's gone. > > As/when quantum computers development progresses, many/some passwords and > hashes will be cracked/brute forced (RSA encryption springs to mind). It is > best if you can think of any password as keeping your door and windows locked. > They will stop most opportunistic attempts, but not anyone who is determined > to break in. It is unlikely your passwords will stop state actors. A strong > password, like a strong door lock, buys you time. Hence the general > recommendation to change your passwords frequently. > > > > In the real world tho, how do people reading this make passwords that no > > one could ever guess? > > You can use gpg, or openssl, or app-admin/apg, or app-admin/pwgen, to generate > random enough strings to use as passwords. They will be difficult to guess, > but will be VERY difficult to remember. You'll have to store them offline > and/or protect them in turn with some master passphrase you can remember. > > As an example, you could choose characters/strings from the output stored in > file.txt, when you run: > > < /dev/random tr -dc "[:space:][:print:]" | head -c500 > file.txt > > > > I use Bitwarden to handle website passwords and > > it does a good job. I make up my own tho when encrypting drives. I'm > > not sure I can really use Bitwarden for that given it is a command line > > thing, well, in a script in my case. I doubt anyone would ever guess > > any of my passwords but how do people reading this do theirs? Just how > > far do you really go to make it secure? Obviously you shouldn't give up > > much detail but just some general ideas. Maybe even a example or two of > > a fake password, just something that you would come up with and how. > > > > This is the two sites I use. > > > > > > https://www.passwordmonster.com/ > > > > https://www.security.org/how-secure-is-my-password/ > > > > > > I have a password in the first one that shows this: > > > > > > It would take a computer about 63 thousand years to crack your password > > > > > > Second one says this. > > > > It would take a computer about 5 million years to crack your password > > > > Exact same password in both. Why such a large range to crack? > > I don't know why these guys come up with
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
Am 19.09.23 um 07:36 schrieb Dale: Maybe even a example or two of a fake password, just something that you would come up with and how. There was this TV series Sherlock. In one episode they communicated by numbers where each number referred to a word in a book. This was somewhat also used in a movie with Nicolas Cage where he is treasure hunting. For the passwords which matter this seems to be a quit good way. As long as nobody guesses your book you can write down your passwords and look them up if needed. Like 239/4 which would tell you to open page 239 and use word 4. Or 239/4/3 -> page 239 line 4 word 3. Then you start to make it difficult so that you don't just use words. Like start with the first letter of the word than go backwards and use every second letter until you habe 8 letters. Mix in a number for every third position. You can change the rule as you like. Keep it always the same and you can look your password up every time. In German there are quit a lot of capital letters so just take them. You can be creative as wild. Take a poem in middle age German and take only the first an last letter from every line. Every third number from pi. Since there is no pattern in pi this should be safe. Something like that.
Re: [gentoo-user] Password questions, looking for opinions. cryptsetup question too.
On Tuesday, 19 September 2023 06:36:13 BST Dale wrote: > Howdy, > > As some know, I encrypt a lot of stuff here. I use passwords that I can > recall but no one could ever guess. I don't use things that someone may > figure out like pet's name or anything like that. I use a couple sites > to see just how good my passwords are. I try to get into the millions > of years at least. I have a couple that it claims is in the trillions > of years to crack. I've read some things not to use like pet names and > such. I've also read that one should use upper and lower case letters, > symbols and such and I do that, especially on my stuff I never want to > be cracked. Some stuff, when I'm dead, it's gone. As/when quantum computers development progresses, many/some passwords and hashes will be cracked/brute forced (RSA encryption springs to mind). It is best if you can think of any password as keeping your door and windows locked. They will stop most opportunistic attempts, but not anyone who is determined to break in. It is unlikely your passwords will stop state actors. A strong password, like a strong door lock, buys you time. Hence the general recommendation to change your passwords frequently. > In the real world tho, how do people reading this make passwords that no > one could ever guess? You can use gpg, or openssl, or app-admin/apg, or app-admin/pwgen, to generate random enough strings to use as passwords. They will be difficult to guess, but will be VERY difficult to remember. You'll have to store them offline and/or protect them in turn with some master passphrase you can remember. As an example, you could choose characters/strings from the output stored in file.txt, when you run: < /dev/random tr -dc "[:space:][:print:]" | head -c500 > file.txt > I use Bitwarden to handle website passwords and > it does a good job. I make up my own tho when encrypting drives. I'm > not sure I can really use Bitwarden for that given it is a command line > thing, well, in a script in my case. I doubt anyone would ever guess > any of my passwords but how do people reading this do theirs? Just how > far do you really go to make it secure? Obviously you shouldn't give up > much detail but just some general ideas. Maybe even a example or two of > a fake password, just something that you would come up with and how. > > This is the two sites I use. > > > https://www.passwordmonster.com/ > > https://www.security.org/how-secure-is-my-password/ > > > I have a password in the first one that shows this: > > > It would take a computer about 63 thousand years to crack your password > > > Second one says this. > > It would take a computer about 5 million years to crack your password > > Exact same password in both. Why such a large range to crack? I don't know why these guys come up with different years-equivalent strength, but I tend to treat such websites as suspicious. They are more likely to act as a honeypot to *record* your passwords, than provide you with truly meaningful information. I suppose you could use them to test an example of a password you would never use thereafter, but even this could reveal some underlying pattern in how you structure your passwords. > I tend > to use the first site to create a password. Then I test it in the > second site to sort of confirm it. If both say a long time, then I got > a fairly good one depending on what I'm protecting. Still, why such a > difference? One reason I use the first site, I can make it show the > password. The second site doesn't do that so editing it to improve > things is harder since you can't see it. The first site makes that easy > and gives me a idea of whether I'm on the right track. Second site > confirms it. I did contact the second site and ask for a button to show > the password. After all, no one is here but me. My windows are covered. > > Also, I use cryptsetup luksFormat -s 512 ... to encrypt things. Is > that 512 a good number? Can it be something different? I'd think since > it is needed as a option, it can have different values and encrypt > stronger or weaker. Is that the case? I've tried to find out but it > seems everyone uses 512. If that is the only value, why make it a > option? I figure it can have other values but how does that work? The size of key options depend on the block cipher. A larger key size tends to be stronger, but its processing slower. Embedded devices without hardware accelerated crypto could struggle with larger key sizes. > Heck, a link to some good info on that would be good. :-) https://gitlab.com/cryptsetup/cryptsetup/-/blob/main/FAQ.md https://gitlab.com/cryptsetup/cryptsetup/wikis/LUKS-standard/on-disk-format.pdf https://wiki.archlinux.org/title/Data-at-rest_encryption signature.asc Description: This is a digitally signed message part.
[gentoo-user] Password questions, looking for opinions. cryptsetup question too.
Howdy, As some know, I encrypt a lot of stuff here. I use passwords that I can recall but no one could ever guess. I don't use things that someone may figure out like pet's name or anything like that. I use a couple sites to see just how good my passwords are. I try to get into the millions of years at least. I have a couple that it claims is in the trillions of years to crack. I've read some things not to use like pet names and such. I've also read that one should use upper and lower case letters, symbols and such and I do that, especially on my stuff I never want to be cracked. Some stuff, when I'm dead, it's gone. In the real world tho, how do people reading this make passwords that no one could ever guess? I use Bitwarden to handle website passwords and it does a good job. I make up my own tho when encrypting drives. I'm not sure I can really use Bitwarden for that given it is a command line thing, well, in a script in my case. I doubt anyone would ever guess any of my passwords but how do people reading this do theirs? Just how far do you really go to make it secure? Obviously you shouldn't give up much detail but just some general ideas. Maybe even a example or two of a fake password, just something that you would come up with and how. This is the two sites I use. https://www.passwordmonster.com/ https://www.security.org/how-secure-is-my-password/ I have a password in the first one that shows this: It would take a computer about 63 thousand years to crack your password Second one says this. It would take a computer about 5 million years to crack your password Exact same password in both. Why such a large range to crack? I tend to use the first site to create a password. Then I test it in the second site to sort of confirm it. If both say a long time, then I got a fairly good one depending on what I'm protecting. Still, why such a difference? One reason I use the first site, I can make it show the password. The second site doesn't do that so editing it to improve things is harder since you can't see it. The first site makes that easy and gives me a idea of whether I'm on the right track. Second site confirms it. I did contact the second site and ask for a button to show the password. After all, no one is here but me. My windows are covered. Also, I use cryptsetup luksFormat -s 512 ... to encrypt things. Is that 512 a good number? Can it be something different? I'd think since it is needed as a option, it can have different values and encrypt stronger or weaker. Is that the case? I've tried to find out but it seems everyone uses 512. If that is the only value, why make it a option? I figure it can have other values but how does that work? Heck, a link to some good info on that would be good. :-) Thoughts? Opinions? Suggestions? Dale :-) :-)
