Hashcat improvements and strengthening passwords

[BuckoA51]

First of all, please don't beat me too hard if I've got something wrong in this post, I'm not a security expert by any means.

So I read about the improvements in Hashcat and how you can now crack Truecrypt volumes more efficiently. I started wondering if my Truecrypt passwords were adequate enough and ways to strenghthen them and I remembered Ubikey. Ubikey can add a bunch of random characters to your password to make it harder to crack. Now, what made me pause for thought is this. Let's say an attacker steals my computer and my Ubikey. Assuming I'd locked the machine, there are few scenarios for attacking the Truecrypt container:-

1) Brute force - He/She could simply add the ubikey random text to his word list. Simple, but will still be inefective if my password isn't in his/her dictionary.

2) Hashcat - Now, here's where I think I understand but might not. Am I right in saying that, because hashes are designed so that changing the password a little results in a completely different hash, that knowing /part/ of a password (in this scenario the part stored on the Ubikey) is absolutely no help whatsoever if you are trying to break a hash? Or have I misunderstood completely?

[digininja]

Hashcat is a brute forcer so your comments on 1 apply to 2. Its power comes from being able to modify words from the word list before testing them, for example adding numbers to the end or characters to the start.

These modifications come from rules that you give to it so you'd just write the rules to always have the yubikey value on the end or start so using it wouldn't give any extra protection.

[BuckoA51]

Right yeah I understand I think, with Hashcat you're basically brute forcing passwords against the hash rather than against the container itself, because that's simply faster?

[digininja]

I don't know how Truecrypt encryption works but what you are brute forcing is the key that is used to unlock it wherever it is stored

[BuckoA51]

Yep that makes sense thanks, the more you know. If only humans were better at remembering random strings of letters and numbers.

[digininja]

I use a key file and a passphrase to secure my truecrypt volume, I doubt that Hashcat will use files yet, probably just passphrases.

Without knowing the file is required there is no way to tell so you could spend all day trying to brute force the passphrase and not get anywhere.

[GuardMoony]

Dont forget that only static paswords are used with truecrypt.

Damn it would be nice to have a encrypted disk with OTP :/

[Jason Cooper]

Assuming I'd locked the machine, there are few scenarios for attacking the Truecrypt container:-

1) Brute force - He/She could simply add the ubikey random text to his word list. Simple, but will still be inefective if my password isn't in his/her dictionary.

2) Hashcat - Now, here's where I think I understand but might not. Am I right in saying that, because hashes are designed so that changing the password a little results in a completely different hash, that knowing /part/ of a password (in this scenario the part stored on the Ubikey) is absolutely no help whatsoever if you are trying to break a hash? Or have I misunderstood completely?

Actually there is a third attack method if you have the Truecrypt container mounted when you locked the machine, take the encryption keys straight from your machines memory.

If you have an accessible port which supports DMA (e.g. Firewire) then an attacker can connect through this and search your machines memory for the key. If there isn't a port supporting DMA available then they can restart the machine and boot it into a simple bit of code designed to dump the machines memory to a USB drive, which can then be trawled through to find the keys.

[BuckoA51]

Yeah I remember seeing the Hak5 episode on cold boot. It's a pity keyfiles cannot be used for pre-boot authentication, maybe in the future. Truecrypt could create a USB drive full of random keyfiles, and you only needed to enter your password and remember which keyfile it was on the USB stick when booting.

[digininja]

If you are running Linux then you can use LUKS and its full disk encryption, you put you key on a USB stick and the machine won't boot without that stick being present. You could put multiple keys on there if you wanted to obscure things as well. Not sure if Truecrypt or Bitlocker will do that.