Archive for the ‘Articles’ Category

How long would it take to recover your password?

Friday, January 21st, 2011

If you've used USBCrypt to encrypt your drives, you have probably wondered, how difficult would it be for someone to discover the correct password by just trying all possible character combinations until one of them unlocks the encrypted drive?

It's easy to find an answer to such a question, using the built-in Recover Password command of USBCrypt software. It's easy to find it: just try starting an encrypted drive, as usual, but instead of entering the password, click on the Tools button and select the Recover Password item on the menu:

The Recover Password command of USBCrypt

If you select the Recover Password command from the menu, the next screen will ask you to choose the character set to use for trying the passwords:

The settings for the Recover Password command of USBCrypt

You can select the minimum and maximum length of the passwords to try, and also choose between the lower-case or upper-case characters, digits, special characters, or any combination of them. When you press the Start button, USBCrypt starts trying the passwords from the character set you've selected, in turn, until it finds one that unlocks the encrypted drive. While it's doing that, you can see the progress in a separate window, that also shows the estimated time to complete the enumeration of all possible passwords from the character set you selected:

The progress of the Recover Password command of USBCrypt

If your password is short and simple, it can be discovered rather quickly:

The successful result of the Recover Password command of USBCrypt

What about the more complex passwords? The time to go through them all increases rapidly with the length of the passwords and their complexity. Here are a few numbers, obtained on computer with a mid-range (as of the time of this writing) Intel i5-650 CPU:

Characters/Maximum lengthUp to 3Up to 5Up to 7
Lowercase30 minutes15 days28 years
Lowercase + Uppercase4 hours1 year35 hundred years
Lowercase + Uppercase + digits7 hours3 years12 thousand years
Lowercase + Uppercase + digits + all special characters1 day 26 years240 thousand years

(Your numbers may be different if your computer has a different processor.)

The table above should give you a pretty good idea about the length and complexity of the password to use to keep your password safe from brute forcing. On the other hand, it can also serve as a strong reminder to take care to remember your password, because if you forget it, it may be practically impossible to recover it (unless you have created a spare key file with USBCrypt, of course.

USBCrypt makes it easier to get back your lost USB drive

Saturday, December 4th, 2010

If you’ve encrypted a removable USB drive with USBCrypt, you know your files are safe: if you lose the drive, no one will be able to get your files without the correct password that you’ve set up, and the only loss you do suffer in such a case is the cost of the physical drive itself. Still, wouldn’t it be nice to get the drive back anyway?

You can increase the chance of getting your encrypted drive back by putting a message on it to be seen by the person who finds the drive. USBCrypt makes it easy to create such a message: just enter the appropriate text as the host disk name when encrypting the drive:

The message to the founder as the host disk name

(If you’ve already encrypted the drive, you can change the host disk name with the Rename host disk command). The host disk name is the first thing the person sees after plugging the drive in the computer:

The message appears when someone plugs the drive in the computer

Even if the computer happens to have the autoplay function disabled, the person would see the message when s/he opens the Computer folder:

The message is shown as the label of the drive

Yet another place to catch attention of the person who found the drive is the screen that appears when s/he runs the file USBCrypt.exe off the encrypted drive:

The built-in message when unlocking the encrypted drive

Such a message appears automatically, you don’t have to do anything special, and the name that is included in the message is the registered name that your copy of the software was licensed to (that is, presumably, your name). If the person clicks on the Not you? link, s/he will be presented with the following message:

The built-in message when unlocking the encrypted drive

This message gives the person an opportunity to contact us with the details of the drive found, and we in turn would attempt to locate your email address in our records and let you know that someone has found your lost drive. Note that what happens after that is entirely up to you, whether you want to reward the person who found the drive or not, etc. would be entirely your decision, we would just offer you our help with getting in touch with that person.

Of course, the best solution to any such problem would be not to lose the drive in the first place. However, it’s a good idea to be prepared for such a misfortune before it might happen.

Choosing a good encryption password

Sunday, April 18th, 2010

Selecting a good encryption password is hard. On the one hand, it should be complex and non-obvious enough for others not to easily guess it. Yet, it should be sufficiently simple for you to remember and avoid the temptation to write it down. Besides, there are quite a few misconceptions around that make choosing a good password rather confusing.

For example, whenever you are prompted to set up a password, the system usually informs you about the minimum length of the password that you should select. Such a requirement may create the impression that the longer the password, the more secure it is. This is not always true! It would be true if you were choosing a random combination of characters for the password, such as “dkoirnfyut”, or “alokifjnwl”, or whatever other combination you could produce by typing random keys on the keyboard. The problem is, however, that more likely than not, you are selecting an existing word (or, a word from a dictionary), like “apple” or “orange” for the password. In such a case, if someone would try the dictionary attack on your encrypted data, it would make virtually no difference whether the word is short or long. It takes the same amount of computer time (give or take a few nanoseconds) to try “tea” or “antidisestablishmentarianism” as the password.

By the way, what is the strength of a dictionary word as the password, you might be wondering? Let’s assume that you’ve selected a random word from a dictionary that has a million words. Considering that 1 million is roughly the same as 220, it means that the strength of such a password is only about 20 bits! It does not matter if the software uses 128- or 256-bit encryption key, because if your password can be recovered in 220 attempts, the effective security of your encryption gets reduced to 20 bits, simply by the fact that you’ve chosen the password from the dictionary.

That’s why most systems insist that your password should contain a mixture of uppercase and lowercase letters, numbers, and special characters: such additions make the dictionary attacks much harder. However, they make remembering the passwords harder, too. What should you do?

There are several methods available for creating complex passwords that are easier to remember. One of them is by creating artificial passphrases (rather than passwords), by combining random words from a dictionary. Take a dictionary book, open it on a random page, and write down a random word you like on that page. Open the dictionary on another page, write down another word. Repeat several times, then move the words around to create a phrase. (The phrase does not have to make sense!). For example, I just tried it and came up with: “Antisocial Pomegranate holds back Blue Herring” (Sounds fun, doesn’t it?) If you can remember such a phrase (including the capitalization of the words), you’ve got yourself a rather strong passphrase.

Another method that’s often recommended is the “first letters of a phrase” technique. Think of a phrase that contains several words, that you could remember. For example, it could be a line from your favorite Beatles song, like “Desmond has a barrow in the market place, Molly is the singer in a band.” Take the first letter of each word, and combine them together: Dhabitmp,Mitsiab. Note that we’ve preserved the capitalization of the letters, and also kept the comma in the middle. The resultant password is almost as strong as a random combination of 17 characters, yet you should be able to remember it easily, as long as you remember the original phrase.

Yet another approach is to create complex and long passwords for each situation, and use some password management software to keep track of them, such as KeePass. When using a software password manager, you only have to remember the master password. Of course, the inconvenience of this method is that you always have to use the password manager to recall the passwords for you, but if you need to have many strong passwords, that’s a small price to pay for the security. And, of course, don’t forget to backup your password database, because if you lose it, you lose them all!

Selecting encrypted file system

Tuesday, March 23rd, 2010

When you encrypt a drive with USBCrypt, on the Choose size page of the wizard you can specify not only the desired size of the Virtual Encrypted Disk to create, but you can also select the desired file system for it:

Selecting a file system format for the encrypted drive

Let’s discuss these options in more detail. First of all, in this example there are two choices for the FAT format, one listed as Default (FAT) and another one as just FAT, what is the difference between the two, you might be wondering? The Default choice instructs USBCrypt to select the same file system for the Virtual Encrypted Disk as that of the host drive. As you can see in this case, the host drive is formatted with FAT32 (as shown at the bottom of the USBCrypt window). Therefore, the default choice of the file system for the Virtual Encrypted Disk is FAT, too. If the next drive you are going to encrypt with USBCrypt happens to have the NTFS file system, then the Default option would format the Virtual Encrypted Disk with NTFS file system, too.

If that’s how you want USBCrypt to select the file system for you, then choose the Default option. If, however, you prefer one of the available file systems, and want all Virtual Encrypted Disks to be formatted with it, then select that item in the list (rather than Default). For example, if you select the FAT option, then all Virtual Encrypted Disks you create in the future will be formatted with the FAT file system, no matter how the host drive is formatted. (Of course, you can change your selection at any time!).

Which file system is “better”, FAT or NTFS? The correct answer is: it depends. The FAT format is more suitable for the smaller drives (say, smaller than 1GB or so). The FAT system is much simpler than NTFS and has less overhead. If all you need the encrypted drive for is to keep your documents and spreadsheets, then FAT would suit you just fine.

However, if you intend to store very large files on it (4GB or larger, such as the video files), then you should select the NTFS system, because FAT system cannot store such large files. (It was designed such a long time ago that it was difficult to imagine we would ever need to have files larger than 4GB!). NTFS offers several other options over FAT, such as the built-in file-based compression and access control (although you don’t really need it, since USBCrypt already provides security for all files within the Virtual Encrypted Disk, whether it is formatted with NTFS or FAT).

What about the last choice in the list, None? If you select it, then USBCrypt will create the Virtual Encrypted Disk without any file system inside at all. In such a case, you will not be able to put any files into the Virtual Encrypted disk until you format it by yourself (Windows Explorer should prompt you to format the drive when you attempt to open it for the first time). You may want to select this option if you want to use a formatting option other than the one built-in into Windows that USBCrypt uses.

Happy formatting!

Using encrypted drives on computers without USBCrypt installed

Friday, March 5th, 2010

Can you use a drive encrypted with USBCrypt on other computers that don’t have USBCrypt software installed on them? Like the computers at your local library, or at your friend’s house? Yes, you can: when you encrypt a drive with USBCrypt, it automaticvally puts a portable version of USBCrypt soiftware on the drive as well, to allow you to use the drive with other computers. All you need to do is attach the drive to the computer:

Windows usually prompts you to open the drive when you attach it

(If you don’t see such a prompt, use the Start – Computer menu to open your drive). Then double-click on USBCrypt (or USBCrypt.exe) to run it off the drive:

Double-click on USBCrypt to run it off the encrypted drive

OK, there is one catch: if there is no USBCrypt software installed on this computer, then in order to run USBCrypt off the attached encrypted drive the administrator of the computer must give his or her permission for that:

The admininstrator must give the permission to run USBCrypt off the attached drive

This message is not entirely accurate: USBCrypt does not want to make changes to the computer, all it wants is load the encryption driver. Anyway, come to think of it, this message is a good thing: after all, if it were your computer, you wouldn’t want your friends to run arbitrary software on it without your permission, would you? Go ahead, tell the owner of the computer what USBCrypt is all about, and if you ask nicely, the owner should let you continue.

Note that the admininstrator’s consent must be obtained only once per Windows session: the consent remains in effect even if you detach the drive and insert it again: there should be no second prompt asking for the admininstrator’s password (we don’t want to annoy the administrators with our little questions, do we?) Only if the computer is restarted a new admininstrator’s permission must be obtained again.

After that, you can work with your encrypted drive as usual: you can enter your password and start the Virtual Encrypted Disk, stop it, rename it, etc. Note, however, that one cannot encrypt a new drive by running USBCrypt off another encrypted drive as described above. For that, USBCrypt must be installed on the computer the usual way. Happy encrypting!

Which encryption key to choose, 128- or 256-bit?

Wednesday, February 3rd, 2010

When you encrypt a disk with USBCrypt, you have the option of choosing the length of the encryption key: 128 or 256 bits. Which length should you choose?

The naïve answer seems to be “the longer the better”: the 256-bit encryption’s got to be much better than 128-bit one, why not use it? The reality, however, is that the 128-bit encryption is just as strong as the 256-bit, while it requires less computational resources and is performed a bit faster.

How can it be, you might be wondering? Let me try an example. Consider two stars: Alpha Centauri and Sirius. It takes light 4.4 years to travel from Sun to the former star and 8.6 year to reach the latter. Which one is easier for us to get to?  The correct answer is: they are both unreachable. There is no technology available to the humankind now and for the foreseeable future to reach either of them. The same is true about the encryption: no technology exists now that would break either 128-bit or 256-bit encryption. It would take the power of 15 Hoover dams for one year to just flip all of the 128 bits, not including the actual verification of each such key. It would take longer than the age of the Universe to try all possible 128-bit keys for the fastest of the existing computers. In other words, if someone wants to get to your encrypted files, they are not going to try to discover the key by applying each possible combination of the bits until they come across the actual key. For such a method both 128-bit and 256-bit key are equally strong.

Instead of the brute-force, the adversaries have many much more effective methods at their disposal: they could install a keylogger on your computer that would intercept the keys when you are entering your encryption  password. They could install a hidden video device and record your keyboard as you are entering your password. They could monitor the electromagnetic signals your keyboard emits and discover your password that way from the distance. Or, they could kidnap and torture you until you tell them the password. All such methods are much easier and cheaper for the adversaries to use than the brute-force attack.

We hope this answers the question of this post, as well as other related questions you might have, such as “Why don’t you offer 2048-bit encryption like some of your competitors do?” 🙂

The USBCrypt team.