Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have forgotten a few characters in an alphanumeric password I used to secure an encrypted USB stick. Is there any way I can brute force ONLY these characters? An example of the incomplete password is below, where every space represents a forgotten character:
>o6hri9= 9F l#%{_ O
Any advice on methods and tools available within any linux platforms very much appreciated.
From what you are saying, I think it is going to be a question of a cracking app attempting to enter the password through the same means a human does, at least in my opinion. If the password is stored hashed (which all passwords should be, but that is another issue), which means if you attempt to crack the hash, you will have to run through rainbow tables to crack it.
An example of the incomplete password is below, where every space represents a forgotten character:
>o6hri9=__9F_l#%{__O
so youknow that the password is exactly 20 characters long, and you know that there's exactly 4 characters missing at defined positions.
Possibly you even know what range the characters are going to be from?
You could use any programming language (i'd use a shell script) to try out every possible character for these 4 positions.
It shouldn't take long.
I keep my passwords in a folder both on hard disk and USB.
But the folder will be opened using the same OS.
So I decided to put the password folder in a different OS and device - a tablet with Android, no GPS receiver and an exclusively 2G encrypted mobile network.
The pocket-sized tablet would be switched on every time I wanted to open the password folder.
Then I found out you can still buy an A5-sized paper notebook.
so youknow that the password is exactly 20 characters long, and you know that there's exactly 4 characters missing at defined positions.
Possibly you even know what range the characters are going to be from?
You could use any programming language (i'd use a shell script) to try out every possible character for these 4 positions.
It shouldn't take long.
That's a really good idea - you would only have to go through a few sets of characters (special, number, upper, lower) for each missing position. The problem is whether the app/method the drive is encrypted with provides feedback on whether you successfully chose a given character.
so youknow that the password is exactly 20 characters long, and you know that there's exactly 4 characters missing at defined positions.
Possibly you even know what range the characters are going to be from?
You could use any programming language (i'd use a shell script) to try out every possible character for these 4 positions.
It shouldn't take long.
Yes that's exactly right. I know the position of each character that I'm missing, and the exact length of the entire chain of random characters. I will look into how to make a shell script. Thanks for that suggestion.
From what you are saying, I think it is going to be a question of a cracking app attempting to enter the password through the same means a human does, at least in my opinion. If the password is stored hashed (which all passwords should be, but that is another issue), which means if you attempt to crack the hash, you will have to run through rainbow tables to crack it.
How is the USB stick encrypted?
I encrypted it using commands in the terminal. It automatically prompts me to type in the password every time I insert the USB.
The problem is whether the app/method the drive is encrypted with provides feedback on whether you successfully chose a given character.
didn't think of that.
or how many attempts you get until you're kicked out.
in any case, brute-forcing a 4 character password (because that's what this scenario amounts to, unless i'm mistaken again) should be much easier than brute-forcing a 20 char pwd.
I have forgotten a few characters in an alphanumeric password I used to secure an encrypted USB stick. Is there any way I can brute force ONLY these characters? An example of the incomplete password is below, where every space represents a forgotten character:
>o6hri9= 9F l#%{_ O
Any advice on methods and tools available within any linux platforms very much appreciated.
An alphanumeric one such as yours may appear more secure (not necessarily so, as described below) but most people have difficulty remembering such combinations. The basic principle of passphrases vs passwords is greater strength through length. A random six or seven word passphrase is much more easier to remember and offers solid security.
From the link:
Five words are breakable with a thousand or so PCs equipped with high-end graphics processors. (Criminal gangs with botnets of infected PCs can marshal such resources.)
Six words may be breakable by an organization with a very large budget, such as a large country's security agency.
Seven words and longer are unbreakable with any known technology, but may be within the range of large organizations by around 2030.
Eight words should be completely secure through 2050.
Several years ago, the science comic blogger Randall Munroe, otherwise known as XKCD, posted a comic comparing passwords and passphrases. The illustration attempts to demonstrate mathematically, using information theory, that passwords tend to be weaker than passphrases while also being more difficult to remember...
Munroe concludes, “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”
Whilst I agree with the general tenet of the above, predictions such as ... ... are always found to be wrong.
Quantum computers anyone?.
Good point. The author's original paper dates back to the '90s well before quantum computing was conceived so perhaps he just updated it without taking that into regard.
Still, I think the concept, choosing a passphrase based on a totally random event, a roll of the dice, is sound. Too many times people have been caught out by using passwords based on birthdays, past events in their lives, etc.
There are sites where you can test password strength. On one of them I entered a 40 character string of letters/numbers only, no other characters except a common punctuation mark. The result I got was that it would take quite a few duodecillion years to crack. Now that's such an astronomical number that for quantum computing to reduce that down to something humanly manageable, well, the mind boggles.
There are sites where you can test password strength.
But they can only give an estimate. I put ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz into https://howsecureismypassword.net/ and it reported "135 duovigintillion years". I don't think it's that strong a password though...
But they can only give an estimate. I put ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz into https://howsecureismypassword.net/ and it reported "135 duovigintillion years". I don't think it's that strong a password though...
I don't think it is either. The fact that such a sequence was not picked up amounts to poor programming imo. The one I used had no discernible sequence at all.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.