Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i want to ask if its secure to use this ccrypt encryption for storing .TXT file with my passwords on cloud storage like Google Drive?
I'm not an expert in encryption, and I don't feel competent enough to assess different methods and algorithms.
However, security is always a relative issue. You may assume that some organisation somewhere in the world has enough computer power to crack any encryption in a reasonable time. The question is whether cost and effect match up against each other. That being said, think about how important your data might be for someone else, and how much it would hurt you if it got disclosed.
Anyway, I would never store sensitive, personal information like passwords on a storage medium outside my own private scope. Passwords should be difficult for someone else to guess or to find out, yet logical or systematic enough for yourself to memorize. If you choose your passwords according to that motto, there's no need to store them anyway.
A good strategy is to memorize a sentence that makes sense, and use the first letters of each word as the password. For instance, I might use the sentence "My grandma died in 92 while I was in London". The password built from that sentence is Mgdi92wIwiL. Easy to remember for me, hard to guess for others. Has uppercase and lowercase letters, and digits.
And use different passwords for different services, in case one gets compromised nevertheless, maybe by your own fault, or maybe because the service provider's database gets hacked.
All of these peer-reviewed, commercial-grade crypto algorithms are "secure enough" ... if properly used ... against a brute-force attack against the password or a known-plaintext attack against the content. The key to the above sentence, however, is: "if properly used."
Classical German Enigma is still more than powerful enough to protect a simple text message for a very long time against this sort of disclosure. Yet, how did the Allies break it using electronmechanical and simple computing equipment? Mostly, by exploiting human weaknesses in the keying system, and in the procedures for its use. The same thing is still true with the much-stronger ciphers of today.
Frankly, I would use publicly-available tools such as GPG, OpenSSL, and/or VPN to do all of my encryption, and I would strive to use them "properly." In other words, digital certificates protected with passwords, exchanging only digitally-signed messages with recipients who did the same ... and of course, exchanging nothing and doing nothing that, if revealed, would land me in prison for the rest of my foreshortened life. I don't think that I could ever do anything "roll-your-own" that would come close to the established security of these peer-reviewed and professionally-designed tools, which combine strong key-management with (usually, pluggable) cipher engines including among others AES256.
Last edited by sundialsvcs; 02-05-2014 at 07:36 AM.
Who is your adversary ? Who are you trying to keep these passwords from ? From your average haxxor, yeah it's secure enough if you use a strong password. From the NSA, not likely.
Personally I would never store passwords, even encrypted, on someone else's machine. However, if you use a strong password, nobody, except the three letter agencies has a real chance of breaking it.
It depends whether you are trying to outrun the bear, and it depends what threat you are up against.
If you believe that Google's (or whoever's) security is such that the file can never fall into the hands of miscreants, or that miscreants will never be sufficiently interested to expend any effort, you are basically home free. History tells us that this has been a very bad bet at various times (not with Google, necessarily, but with others in a similar position), but you could choose to be very foolish and take it.
Now,the alternative is to assume that the file does fall into a miscreant's hands. Now, really, if this or these miscreant(s) have an infinte amount of time/'goes' and are sufficiently interested, then they'll crack it. See this and this for a bit of an update on how fast brute force attempts on passwords can progress with the right hardware. Even without the right hardware, if you are sufficiently interested you can just wait for longer and still get a result.
In practice, you are really betting on the miscreant(s) not being sufficiently interested to wait, or not being sufficiently clued up to actually try to crack it. This is not exactly a good bet, either, but you might get away with it (but, if you are off the hook, it quite probably wasn't the encryption that got you off the hook, so much as a lack of application on the part of the miscreants). Depending on what else you have there, some 'security by obscurity' might help (ie, is it at all apparent that it is a password file), but you can't really rely on it.
Of course, with a normal password situation, the miscreant has only a limited amount of 'goes' at a password before some one/thing notices and stops the process, so that gets you off the hook (usually) with even slightly suspect passwords and encryption. But, if you assume that someone has the file, that doesn't work.
You might get of the hook if you felt that you would know when there was an exploit (not necessarily true) and that you could change all of the passwords faster than the miscreant could crack them. Possible, but not reliable, largely because it may be some time after the data leaks before you get to know. Obviously, you would hope that if there was a leak you would know immediately, but, quite often, it takes a small number of weeks before those who should be protecting the data confess that their protection hasn't been as complete as you would have liked. And that's enough to sink the 'change the passwords immediately' solution.
Let me put it another way. The NSA uses AES 256-bit for encrypting their top secret documents. This means that nobody, except perhaps the NSA can crack / backdoor it, as long as you use a strong password.
Let me put it another way. The NSA uses AES 256-bit for encrypting their top secret documents. This means that nobody, except perhaps the NSA can crack / backdoor it, as long as you use a strong password.
that may be true, I don't know. But yet, it only applies to the security or vulnerability of the ecryption method as such. As soon as you're too careless with your password (for whatever reason), all that top-class encryption isn't worth a penny.
And you may believe that if the stakes are high enough, some organisations will stop at nothing. I'm not talking about bribery or blackmailing. Too primitive, though sometimes effective. But don't underestimate the power of psychology.
A long time ago, I went to Israel for three days on business terms. Over there, I was accompanied by a local representative most of the time. That was annoying in some situations, but on the whole I was grateful for him to be there and save me from offending the locals inadvertently. When he took me to Tel Aviv airport for my flight home, he warned me: Isreal customs, he said, is notorious for employing very attractive women for baggage check and query at check in. The experience is that men talk more freely to a nice girl and will much easier lose their inhibition. And yes, the young woman who checked my passport and suitcase contents was indeed a gorgeous one ...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.