Hello,

I have forgotten a few characters in an alphanumeric password I used to secure an encrypted USB stick. Is there any way I can brute force ONLY these characters? An example of the incomplete password is below, where every space represents a forgotten character:

>o6hri9= 9F l#%{_ O

Any advice on methods and tools available within any linux platforms very much appreciated.

TIA

From what you are saying, I think it is going to be a question of a cracking app attempting to enter the password through the same means a human does, at least in my opinion. If the password is stored hashed (which all passwords should be, but that is another issue), which means if you attempt to crack the hash, you will have to run through rainbow tables to crack it.

How is the USB stick encrypted?

>o6hri9=__9F_l#%{__O

so youknow that the password is exactly 20 characters long, and you know that there's exactly 4 characters missing at defined positions.
Possibly you even know what range the characters are going to be from?
You could use any programming language (i'd use a shell script) to try out every possible character for these 4 positions.
It shouldn't take long.

3 members found this post helpful.

I keep my passwords in a folder both on hard disk and USB.
But the folder will be opened using the same OS.

So I decided to put the password folder in a different OS and device - a tablet with Android, no GPS receiver and an exclusively 2G encrypted mobile network.
The pocket-sized tablet would be switched on every time I wanted to open the password folder.

Then I found out you can still buy an A5-sized paper notebook.

That's a really good idea - you would only have to go through a few sets of characters (special, number, upper, lower) for each missing position. The problem is whether the app/method the drive is encrypted with provides feedback on whether you successfully chose a given character.

Yes that's exactly right. I know the position of each character that I'm missing, and the exact length of the entire chain of random characters. I will look into how to make a shell script. Thanks for that suggestion.

I encrypted it using commands in the terminal. It automatically prompts me to type in the password every time I insert the USB.

didn't think of that.
or how many attempts you get until you're kicked out.
in any case, brute-forcing a 4 character password (because that's what this scenario amounts to, unless i'm mistaken again) should be much easier than brute-forcing a 20 char pwd.

I assume you've managed to get it sorted so I'd suggest you change to an easier to remember passphrase.

An alphanumeric one such as yours may appear more secure (not necessarily so, as described below) but most people have difficulty remembering such combinations. The basic principle of passphrases vs passwords is greater strength through length. A random six or seven word passphrase is much more easier to remember and offers solid security.

From the link:

Five words are breakable with a thousand or so PCs equipped with high-end graphics processors. (Criminal gangs with botnets of infected PCs can marshal such resources.)

Six words may be breakable by an organization with a very large budget, such as a large country's security agency.

Seven words and longer are unbreakable with any known technology, but may be within the range of large organizations by around 2030.

Eight words should be completely secure through 2050.


Also:

Several years ago, the science comic blogger Randall Munroe, otherwise known as XKCD, posted a comic comparing passwords and passphrases. The illustration attempts to demonstrate mathematically, using information theory, that passwords tend to be weaker than passphrases while also being more difficult to remember...

Munroe concludes, “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”

Whilst I agree with the general tenet of the above, predictions such as ... ... are always found to be wrong.
Quantum computers anyone ?.

Good point. The author's original paper dates back to the '90s well before quantum computing was conceived so perhaps he just updated it without taking that into regard.

Still, I think the concept, choosing a passphrase based on a totally random event, a roll of the dice, is sound. Too many times people have been caught out by using passwords based on birthdays, past events in their lives, etc.

There are sites where you can test password strength. On one of them I entered a 40 character string of letters/numbers only, no other characters except a common punctuation mark. The result I got was that it would take quite a few duodecillion years to crack. Now that's such an astronomical number that for quantum computing to reduce that down to something humanly manageable, well, the mind boggles.

But they can only give an estimate. I put ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz into https://howsecureismypassword.net/ and it reported "135 duovigintillion years". I don't think it's that strong a password though...

I don't think it is either. The fact that such a sequence was not picked up amounts to poor programming imo. The one I used had no discernible sequence at all.