Posts Tagged ‘brute force’

How long would it take to recover your password?

Friday, January 21st, 2011

If you've used USBCrypt to encrypt your drives, you have probably wondered, how difficult would it be for someone to discover the correct password by just trying all possible character combinations until one of them unlocks the encrypted drive?

It's easy to find an answer to such a question, using the built-in Recover Password command of USBCrypt software. It's easy to find it: just try starting an encrypted drive, as usual, but instead of entering the password, click on the Tools button and select the Recover Password item on the menu:

The Recover Password command of USBCrypt

If you select the Recover Password command from the menu, the next screen will ask you to choose the character set to use for trying the passwords:

The settings for the Recover Password command of USBCrypt

You can select the minimum and maximum length of the passwords to try, and also choose between the lower-case or upper-case characters, digits, special characters, or any combination of them. When you press the Start button, USBCrypt starts trying the passwords from the character set you've selected, in turn, until it finds one that unlocks the encrypted drive. While it's doing that, you can see the progress in a separate window, that also shows the estimated time to complete the enumeration of all possible passwords from the character set you selected:

The progress of the Recover Password command of USBCrypt

If your password is short and simple, it can be discovered rather quickly:

The successful result of the Recover Password command of USBCrypt

What about the more complex passwords? The time to go through them all increases rapidly with the length of the passwords and their complexity. Here are a few numbers, obtained on computer with a mid-range (as of the time of this writing) Intel i5-650 CPU:

Characters/Maximum lengthUp to 3Up to 5Up to 7
Lowercase30 minutes15 days28 years
Lowercase + Uppercase4 hours1 year35 hundred years
Lowercase + Uppercase + digits7 hours3 years12 thousand years
Lowercase + Uppercase + digits + all special characters1 day 26 years240 thousand years

(Your numbers may be different if your computer has a different processor.)

The table above should give you a pretty good idea about the length and complexity of the password to use to keep your password safe from brute forcing. On the other hand, it can also serve as a strong reminder to take care to remember your password, because if you forget it, it may be practically impossible to recover it (unless you have created a spare key file with USBCrypt, of course.

Which encryption key to choose, 128- or 256-bit?

Wednesday, February 3rd, 2010

When you encrypt a disk with USBCrypt, you have the option of choosing the length of the encryption key: 128 or 256 bits. Which length should you choose?

The naïve answer seems to be “the longer the better”: the 256-bit encryption’s got to be much better than 128-bit one, why not use it? The reality, however, is that the 128-bit encryption is just as strong as the 256-bit, while it requires less computational resources and is performed a bit faster.

How can it be, you might be wondering? Let me try an example. Consider two stars: Alpha Centauri and Sirius. It takes light 4.4 years to travel from Sun to the former star and 8.6 year to reach the latter. Which one is easier for us to get to?  The correct answer is: they are both unreachable. There is no technology available to the humankind now and for the foreseeable future to reach either of them. The same is true about the encryption: no technology exists now that would break either 128-bit or 256-bit encryption. It would take the power of 15 Hoover dams for one year to just flip all of the 128 bits, not including the actual verification of each such key. It would take longer than the age of the Universe to try all possible 128-bit keys for the fastest of the existing computers. In other words, if someone wants to get to your encrypted files, they are not going to try to discover the key by applying each possible combination of the bits until they come across the actual key. For such a method both 128-bit and 256-bit key are equally strong.

Instead of the brute-force, the adversaries have many much more effective methods at their disposal: they could install a keylogger on your computer that would intercept the keys when you are entering your encryption  password. They could install a hidden video device and record your keyboard as you are entering your password. They could monitor the electromagnetic signals your keyboard emits and discover your password that way from the distance. Or, they could kidnap and torture you until you tell them the password. All such methods are much easier and cheaper for the adversaries to use than the brute-force attack.

We hope this answers the question of this post, as well as other related questions you might have, such as “Why don’t you offer 2048-bit encryption like some of your competitors do?” 🙂

The USBCrypt team.