LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-19-2019, 08:28 AM   #1
Gremlin99
LQ Newbie
 
Registered: May 2019
Posts: 3

Rep: Reputation: Disabled
Brute force forgotten characters in password?


Hello,

I have forgotten a few characters in an alphanumeric password I used to secure an encrypted USB stick. Is there any way I can brute force ONLY these characters? An example of the incomplete password is below, where every space represents a forgotten character:

>o6hri9= 9F l#%{_ O

Any advice on methods and tools available within any linux platforms very much appreciated.

TIA
 
Old 05-19-2019, 09:13 AM   #2
sevendogsbsd
Member
 
Registered: Sep 2017
Distribution: FreeBSD, OpenSUSE
Posts: 968

Rep: Reputation: Disabled
From what you are saying, I think it is going to be a question of a cracking app attempting to enter the password through the same means a human does, at least in my opinion. If the password is stored hashed (which all passwords should be, but that is another issue), which means if you attempt to crack the hash, you will have to run through rainbow tables to crack it.

How is the USB stick encrypted?
 
Old 05-19-2019, 09:33 AM   #3
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 12,533
Blog Entries: 9

Rep: Reputation: 3393Reputation: 3393Reputation: 3393Reputation: 3393Reputation: 3393Reputation: 3393Reputation: 3393Reputation: 3393Reputation: 3393Reputation: 3393Reputation: 3393
Quote:
Originally Posted by Gremlin99 View Post
An example of the incomplete password is below, where every space represents a forgotten character:
>o6hri9=__9F_l#%{__O

so youknow that the password is exactly 20 characters long, and you know that there's exactly 4 characters missing at defined positions.
Possibly you even know what range the characters are going to be from?
You could use any programming language (i'd use a shell script) to try out every possible character for these 4 positions.
It shouldn't take long.
 
3 members found this post helpful.
Old 05-19-2019, 10:57 AM   #4
carlito386
Member
 
Registered: May 2019
Distribution: Debian
Posts: 75

Rep: Reputation: Disabled
I keep my passwords in a folder both on hard disk and USB.
But the folder will be opened using the same OS.

So I decided to put the password folder in a different OS and device - a tablet with Android, no GPS receiver and an exclusively 2G encrypted mobile network.
The pocket-sized tablet would be switched on every time I wanted to open the password folder.

Then I found out you can still buy an A5-sized paper notebook.
 
Old 05-19-2019, 02:13 PM   #5
sevendogsbsd
Member
 
Registered: Sep 2017
Distribution: FreeBSD, OpenSUSE
Posts: 968

Rep: Reputation: Disabled
Quote:
Originally Posted by ondoho View Post
>o6hri9=__9F_l#%{__O

so youknow that the password is exactly 20 characters long, and you know that there's exactly 4 characters missing at defined positions.
Possibly you even know what range the characters are going to be from?
You could use any programming language (i'd use a shell script) to try out every possible character for these 4 positions.
It shouldn't take long.
That's a really good idea - you would only have to go through a few sets of characters (special, number, upper, lower) for each missing position. The problem is whether the app/method the drive is encrypted with provides feedback on whether you successfully chose a given character.
 
Old 05-19-2019, 04:37 PM   #6
Gremlin99
LQ Newbie
 
Registered: May 2019
Posts: 3

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by ondoho View Post
>o6hri9=__9F_l#%{__O

so youknow that the password is exactly 20 characters long, and you know that there's exactly 4 characters missing at defined positions.
Possibly you even know what range the characters are going to be from?
You could use any programming language (i'd use a shell script) to try out every possible character for these 4 positions.
It shouldn't take long.
Yes that's exactly right. I know the position of each character that I'm missing, and the exact length of the entire chain of random characters. I will look into how to make a shell script. Thanks for that suggestion.
 
Old 05-19-2019, 04:52 PM   #7
Gremlin99
LQ Newbie
 
Registered: May 2019
Posts: 3

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by sevendogsbsd View Post
From what you are saying, I think it is going to be a question of a cracking app attempting to enter the password through the same means a human does, at least in my opinion. If the password is stored hashed (which all passwords should be, but that is another issue), which means if you attempt to crack the hash, you will have to run through rainbow tables to crack it.

How is the USB stick encrypted?
I encrypted it using commands in the terminal. It automatically prompts me to type in the password every time I insert the USB.
 
Old 05-21-2019, 12:47 PM   #8
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 12,533
Blog Entries: 9

Rep: Reputation: 3393Reputation: 3393Reputation: 3393Reputation: 3393Reputation: 3393Reputation: 3393Reputation: 3393Reputation: 3393Reputation: 3393Reputation: 3393Reputation: 3393
Quote:
Originally Posted by sevendogsbsd View Post
The problem is whether the app/method the drive is encrypted with provides feedback on whether you successfully chose a given character.
didn't think of that.
or how many attempts you get until you're kicked out.
in any case, brute-forcing a 4 character password (because that's what this scenario amounts to, unless i'm mistaken again) should be much easier than brute-forcing a 20 char pwd.
 
Old 07-24-2019, 11:40 PM   #9
LU344928
LQ Newbie
 
Registered: Jan 2019
Distribution: Fedora, MX Linux, PCLinuxOS
Posts: 24

Rep: Reputation: Disabled
Quote:
Originally Posted by Gremlin99 View Post
Hello,

I have forgotten a few characters in an alphanumeric password I used to secure an encrypted USB stick. Is there any way I can brute force ONLY these characters? An example of the incomplete password is below, where every space represents a forgotten character:

>o6hri9= 9F l#%{_ O

Any advice on methods and tools available within any linux platforms very much appreciated.

TIA
I assume you've managed to get it sorted so I'd suggest you change to an easier to remember passphrase.

An alphanumeric one such as yours may appear more secure (not necessarily so, as described below) but most people have difficulty remembering such combinations. The basic principle of passphrases vs passwords is greater strength through length. A random six or seven word passphrase is much more easier to remember and offers solid security.

From the link:

Five words are breakable with a thousand or so PCs equipped with high-end graphics processors. (Criminal gangs with botnets of infected PCs can marshal such resources.)

Six words may be breakable by an organization with a very large budget, such as a large country's security agency.

Seven words and longer are unbreakable with any known technology, but may be within the range of large organizations by around 2030.

Eight words should be completely secure through 2050.


Also:

Several years ago, the science comic blogger Randall Munroe, otherwise known as XKCD, posted a comic comparing passwords and passphrases. The illustration attempts to demonstrate mathematically, using information theory, that passwords tend to be weaker than passphrases while also being more difficult to remember...

Munroe concludes, “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”
 
Old 07-25-2019, 01:13 AM   #10
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 18,146

Rep: Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935
Whilst I agree with the general tenet of the above, predictions such as ...
Quote:
Six words may be breakable by an organization with a very large budget, such as a large country's security agency.

Seven words and longer are unbreakable with any known technology, but may be within the range of large organizations by around 2030.

Eight words should be completely secure through 2050.
... are always found to be wrong.
Quantum computers anyone ?.
 
Old 07-25-2019, 03:52 AM   #11
LU344928
LQ Newbie
 
Registered: Jan 2019
Distribution: Fedora, MX Linux, PCLinuxOS
Posts: 24

Rep: Reputation: Disabled
Quote:
Originally Posted by syg00 View Post
Whilst I agree with the general tenet of the above, predictions such as ... ... are always found to be wrong.
Quantum computers anyone?.
Good point. The author's original paper dates back to the '90s well before quantum computing was conceived so perhaps he just updated it without taking that into regard.

Still, I think the concept, choosing a passphrase based on a totally random event, a roll of the dice, is sound. Too many times people have been caught out by using passwords based on birthdays, past events in their lives, etc.

Last edited by LU344928; 07-25-2019 at 03:55 AM.
 
Old 07-26-2019, 08:30 PM   #12
LU344928
LQ Newbie
 
Registered: Jan 2019
Distribution: Fedora, MX Linux, PCLinuxOS
Posts: 24

Rep: Reputation: Disabled
There are sites where you can test password strength. On one of them I entered a 40 character string of letters/numbers only, no other characters except a common punctuation mark. The result I got was that it would take quite a few duodecillion years to crack. Now that's such an astronomical number that for quantum computing to reduce that down to something humanly manageable, well, the mind boggles.
 
Old 07-26-2019, 09:58 PM   #13
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,510

Rep: Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813Reputation: 1813
Quote:
Originally Posted by LU344928 View Post
There are sites where you can test password strength.
But they can only give an estimate. I put ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz into https://howsecureismypassword.net/ and it reported "135 duovigintillion years". I don't think it's that strong a password though...
 
Old 07-28-2019, 06:39 PM   #14
LU344928
LQ Newbie
 
Registered: Jan 2019
Distribution: Fedora, MX Linux, PCLinuxOS
Posts: 24

Rep: Reputation: Disabled
Quote:
Originally Posted by ntubski View Post
But they can only give an estimate. I put ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz into https://howsecureismypassword.net/ and it reported "135 duovigintillion years". I don't think it's that strong a password though...
I don't think it is either. The fact that such a sequence was not picked up amounts to poor programming imo. The one I used had no discernible sequence at all.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Blocking a brute force password hacker Lop3 Linux - Security 3 08-02-2015 02:52 AM
Does anyone know if guardian can be set to block brute force attacks and only brute f abefroman Linux - Software 2 06-05-2008 10:55 AM
Brute force DHCP SSBN Linux - Networking 10 10-21-2003 10:34 AM
Brute Force kwigibo Linux - General 2 08-01-2002 12:42 AM
Blocking brute force port scanning?? FunkFlex Linux - Security 1 05-03-2002 01:43 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:53 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration