Two weeks ago I was in the midst of a nightmare. I’d forgotten a password. Not just any password. THE password. Without this one password I was cryptographically locked out of thousands and gigabytes worth of files I care about. Highly sensitive and valuable files that include work documents, personal projects, photos, code snippets, notes, family stuff, etc. The password in question unlocks these files from the protection of locally stored AES-256 encrypted disk image. A location where an “email me a password reset link” is not an option. File backups? Of course! Encrypted the same way with the same password. Password paper backup? Nope. I’ll get to that. I somehow needed to “crack” this password. If not, the amount of epic self-pwnage would be too horrible to imagine.
Before sharing how I got myself into this predicament, it’s necessary to reveal some details about my personal computer security habits. More specifics than I’m normally comfortable sharing.
As my badge wall shows, I travel a lot, all around the world, and often with the same laptop. A MacBook Pro. My computer becoming lost, stolen, or imaged by border guards and other law enforcement officers is a constant concern. To protect against these potential physical attacks, OS X dutifully offers FileVault.
FileVault is a full disk encryption feature utilizing XTS-AES 128 crypto. Enabling FileVault means that even if someone has physical possession of my computer, or obtains a full copy of the hard drive, they’d be the proud new owner of a cutting-edge machine, but unable to get any useful data off of it. That is unless my admin password, which unlocks FileVault, is ridiculously simple, and it isn’t. By all practical means, “cracking” this password is impossible.
What is possible is law enforcement, or a robber, forcibly stopping me and “asking” for my admin password, a method capable of defeating FileVault’s full disk encryption. Realistically, while my brazilian jiu-jitsu black belt certainly helps in many situations, it can be utterly useless in other real-world encounters. I’ll of course resist giving up my admin password to the extent I’m able, but must assume I may have to “comply” at some point. If this should happen, ideally my data, other than email, should remain safe even after the adversary lands on my desktop.
Setting up this type of layered security fall-back plan is where we return to the conversation of encrypted disk images. On OS X, Disk Utility can be used to create encrypted disk images called DMGs. DMGs are self-contained portable files, of customizable size, that when mounted (i.e. double-clicked) display on the desktop like any other disk drive where files can be stored.
Upon creation of DMGs the level of encryption strength can be set, the highest being AES-256. If FileVault’s AES-128 crypto is already “impossible” to crack, AES-256 DMGs are exponentially more impossible. To ensure this, all you have to do is set a reasonable password. We’re talking even 6 characters or longer, some upper and lower case, and maybe toss in a digit and special character. DON’T SAVE THE PASSWORD IN YOUR KEYCHAIN. Doing so defeats the entire purpose of what we’re trying to accomplish, because the admin password unlocks the keychain.
A great thing about DMGs is that they can be stored anywhere. Hidden in some obscure directory on the local machine, a network storage device, a USB drive, whatever. All my confidential files are typically stored this way, in a series of encrypted DMGs with separate passwords. Also very important, DMGs containing sensitives files are only mounted on an as-needed basis. This is for two reasons:
- If I must hand over my admin password, the person now on the desktop should still have a difficult time learning these disk images exist and a password is required to open them. As they begin to snoop around, image the drive, run forensics, etc., they should feel they have the keys to the kingdom. If they do manage to find the DMGs, hopefully by then I’m on my way and seeking legal help.
- Should my computer get “hacked,” a remote attacker will find it extremely difficult to transfer out many many gigabytes worth of data as a single DMG file before being noticed, the computer loses its connection to the Internet, or the image is unmounted.
What’s also cool is a DMG can be used to store additional account passwords, flat file style. Passwords, which can be made super strong and don’t have to be committed to memory. Simply copy-paste as necessary. This FileValue / DMG setup makes it very convenient to only have to remember a small hand full of passwords, including the admin password, to access everything important and without sacrificing security. Well, convenient up until the point where you forget a DMG password. In my case, caused by my scheduled ritual of “change all my passwords.” Ugh!
I wake up once upon a recent morning and begin my daily routine. Check calendar. Check email. Checks RSS. Check Twitter. Start working, start reading. As is common, I mount a DMG and am greeted by the familiar password dialog. First password attempt, fail. Second attempt, fail. Third attempt, fail. Warning dialog appears. That’s weird, I thought. Normally I’m a proficient touch typist. Am I’m fat-fingering the password? Three strikes and I’m out again.
Annoyed, but not concerned. Check the caps lock key. Nope. Try the password again. Fail, fail, fail. Fail, fail, fail. Rinse, repeat several more times. WTF! Am I at least trying to type the correct password for the DMG? I believe so. Let me try a few “shouldn’t work passwords” just in case Morning Brain is causing problems. A few dozen password fails later, annoyance begins constricting into panic. It’s OK, consoling myself, I’ll come back to this in a little while. It’ll be fine. I have some non-DMG-required work to complete anyway.
An hour later, I repeated the same password attempt cycle. No dice. The password fails mounting up are now in the hundreds. I start to mouth some obscenities and my keyboard is really not liking the pounding. My wife is beginning to eyeball me with concern. I’m running out of ideas of what that problem could be. That’s about when I recalled recently changing all my passwords. A few moment laters, that’s when it hit me, like really hit me. For whatever reason, I’d forgotten what I changed the password to. *Gulp*. Oh, no!
Think positive, think optimistic. Keep calm. Carry on. It’ll come to me. I’ve never forgotten these passwords before. I even remember most of it. At least, I think I do.
I’m periodically trying different passwords throughout the day, throughout out the evening. One day turns into two, two into three. All like the first. Only now I’m losing sleep. I’m waking up in the middle of the night and have to try a few more passwords just so I can get back to sleep. For those who don’t know, dreaming of password combinations sucks. What also sucks is without access to this DMG, more specifically the work documents within it, my daily productivity plummets.
Finally, after nearly a week I have to admit to myself, I forgot it. That I’m in trouble. Time for Plan B. Google.
I begin searching around for DMG password cracking tools. My thought is since I have a partial password, I should be fine. Most of the results pages are littered with people responding by cracking jokes when asked about cracking DMG AES crypto. That’s not very encouraging. Then I come across something called crowbarDMG, which is basically a GUI for command:
>$ hdiutil attach -passphrase <passphrase> DiskImage.dmg
hdiutil locks a DMG file when attempting to mount it, so crowbarDMG runs single threaded, which essentially means a cracking speed of 1 password c/s. Yeah, slow. For my particular circumstance, this was fine. I figured I was only missing between 1 – 3 characters of the password anyway. A day of cracking, maybe two, and I’d be back in business. It was not to be. Then my fuzzy memory suggested I might be missing as much as 6 characters. If that be the case, by sheer math, at least multiple decades worth of cracking would be necessary at current speed. Time for Plan C. Twitter.
Having ~15,000 followers interested in computer security has its perks. Through the years I’ve come to expect a good percentage of them have a stinging sense of humor. Similar to the Google search, 99% of the responses received were sarcastic. This included one such retort from a friend who works in law enforcement computer forensics. I’m sure some tweets were funny, but I was in no laughing mood. I was freaked. A sense of futility and finality was setting in.
That was until Solar Designer, gat3way, Dhiru Kholia, and Magnum, the guys behind the infamous John the Ripper (JtR) password cracker answered my plea. Then Jeremi Gosney of Stricture Consulting Group graciously offered up the use of his mega hash cracking computing resources as well. You remember Stricture from their Ars article, they have an insane “25-GPU cluster cracks every standard Windows password in < 6 hours.” Collectively, these guys are the amongst the world’s foremost experts in password cracking. If they can’t help, no one can. No joking around, they immediately dove right in.
Now, I couldn’t just share out my DMG for others to attempt to crack. Its enormous size basically precluded that. But even if I could, I wouldn’t. Given the sensitive nature of the data, I actually preferred the data lost than suffer any risk of a leak. Fortunately, JtR has something called dmg2john. dmg2john scrapes the DMG and provides output which can be cracked with JtR by others without putting the data at risk. Nice! Unfortunately, when I got there, dmg2john and JtR were broken when it came to DMGs. I provided the bug details to john-dev and john-users mailing list to replicate. The JtR developers had the issues fixed in a couple days. These guys are awesome.
Next step, send the dmg2john output of my DMG over to Jeremi at Stricture along with everything I think I remember about what my password might have been. Jeremi informs me of the next challenge, he’s only able to crack my DMG at a speed of ~100 c/s! At that rate it’s going to take a little over a decade worth of cracking to exhaust the password key space. I’m thinking this is very odd, it’s only maybe 6 extra characters tops. Jeremi explains why…
The reason it’s so slow is because your AES256-encrypted DMG uses 250,000 rounds of PBKDF2-HMAC-SHA-1 to generate the encryption key. The ludicrous round count makes it extremely computationally expensive, slowing down the HMAC-SHA1 process by a factor of 250,000.
My Xeon X7350 can crack a single round of HMAC-SHA1 at a rate of 9.3 million hashes per second. But since we are using 250,000 rounds, it means I was reduced to doing ~ 37 hashes per second. Using all four processors I was only able to pull about 104 hashes per second total (doesn’t scale perfectly.)
Once understanding this, Jeremi begins asking for more information about what the extra six or so characters in my password might have been. We’re they all upper and lower case characters? What about digits? Any special characters? Which characters were most likely used, or not used? Ever bit of intel helped a lot. We managed to whittle down an in initial 41106759720 possible password combinations to 22472. This meant the total amount of time required to crack the DMG was reduced to 3.5 minutes on his rig.
Subsequently, Jeremi sent me what had to be one the most relieving and frightening emails I’ve ever received in my life. Relieving because I recognized the password immediately upon sight. I knew it was right, but my anxiety level remained at 10 until typing it in and seeing it work. I hadn’t touched my precious data in weeks! It was a tender moment, but also frightening because, well, no security professional is ever comfortable seeing such a prized password emailed to them from someone else. When/if that happens, it typically means you are hacked and another pain awaits.
Interestingly, in living out this nightmare, I learned A LOT I didn’t know about password cracking, storage, and complexity. I’ve come to appreciate why password storage is ever so much more important than password complexity. If you don’t know how your password is stored, then all you really can depend upon is complexity. This might be common knowledge to password and crypto pros, but for the average InfoSec or Web Security expert, I highly doubt it.
Now, after telling everyone a few of my best tricks and enduring an awful deficiency in one of them, I’ll obviously have to change things up a bit. Clearly I need paper backup, and thinking maybe about giving it to my attorney for safekeeping where it’ll enjoy legal privilege protection. We’ll see.
In the meantime, I can’t thank the John the Ripper guys and Jeremi from Stricture Consulting enough. If you need a password cracked, for personal and professional reasons, this is where you look to.
What about content of files from your vaults left in some cache/swap? I assume someone with your admin pasword can dig them up.
@hm Yeah, there is probably pockets of data floating around the system, but probably not worth worrying about, and certain not enough ease the pain of losing that DMG.
@hm – Swap (at least) is not a problem. It’s encrypted by default on OS X using a random key that is re-generated on each boot. Even then, cache for the DMG is not a problem — the encryption key is held in “wired” memory, that the system will not swap out to disk. Other apps’ caches are more problematic, but that’s a second order problem. Everything is also vulnerable to Felten’s cold boot attack as well.
Hi,
This has got to be every security professionals worst nightmare and I cringed while reading, hoping dear to God it would end well. Thank you so much for sharing. Made me think twice about my own routines and will be sure to make a few changes. Stories such as these are not only horrible to read but also incredibly instructive, so again thanks for sharing and documenting for the rest of us to read.
@Christoffer I think so to. It was horrifying. Thanks for reading and sharing your kind words. Help encourage me to write more.
Time to reconsider Bruce Schneier’s recommendation: Write your password down and store it in your wallet.
With caveat: When traveling, remember to take it out of your wallet, put it in a small metal tube and stick it up your butt!
@Richard I think there is a S—aaS joke in there somewhere. LOL
I’m really curious about why Jeremi only saw a 2.8x throughput increase from adding 3 CPUs. What gets serialized that limits the parallelization?
@Chris Really couldn’t say, but I’m sure he would know.
Hey, don’t bother with paper, except for one type. Put all those DMG’s on a flash drive of some sort. Encrypted with a HORRENDOUS password. Go high ASCII on that bitch. Take the password, write it out on a piece of paper, seal in an envelope, seal the envelope in an evidence bag, and hand that to your attorney, with a “When I die, or ask for it back”. Attorney-client privilege is in effect (Mind you, IANAL), and you’re good. Put flash drive in bank vault. Essentially treat the data like a nuke launch code. You have to get it from offsite backup location, AND get the password from the lawyer. So a theft of one won’t lose you the data.
Congrats on getting it back.
@Josh Recently, I would’ve said you’re a little paranoid. This month, not so much. What a difference one forgotten password can make on your personality.
You seem to put a lot of faith in lawyers…
@jp Might have to trust someone at some point. If a lawyer’s entire career is on the hook with protecting me, I think our mutual interests alignment. About the best one can expect.
right, but trust and security aren’t the same thing. You sound like an expert in your field. You think your lawyer spends all his/her time researching security? For CYA security, maybe good enough. I’d probably recommend placing the password in a second safety deposit box at a different bank. Laywers and their assistants can be socially engineered, or if they keep the paper in the office it would be trivial to steal or for a nefarious employee to obtain (the night cleaners perhaps). Two bank hits would be pretty bold, and in the safety deposit box, you can be more sure that it is out of sight of any employees.
JP, trust me, Jer is an expert in his field. If you were talking about me, then I’ll let others speak to that. As for the bank idea, it’s a very do-able thing. However, a Lawyer is good, because a bank safe deposit box is subject to a subpoena. A lawyer’s files are not. Attorney-Client Privilege. Forgot to mention it, thanks for bringing that out!!!
Joshua
Half the password with your lawyer, half in a safe deposit box.
Thank you, Jeremiah, for the cautionary tale. We often put too much trust into our electronic (keepass etc.) and meat memories.
R
How paranoid are you? I live in an earthquake zone and keep an off-continent backup of my most important files (encrypted, of course). If I were you I’d be thinking about two lawyers and two safe deposit boxes…
Great read man, loved it.
@Colm thank you!
Good post. Thanks!
To take a few more steps on the paranoid road:
.
- revealing “brazilian jiu-jitsu black belt” is helpful intel for the eventual abductor
- revealing “I figured I was only missing between 1 – 3 characters of the password anyway.” tells about your passwords modification schemes (even though it seems it was more in the 6 chars realm)
Since it seems you are already using one very strong password for each of your DMGs, wouldn’t you prefer changing them very infrequently? There’s no real need to change a good, strong password. If there is an exploitable vulnerability in the application using it, or ways to get the password in memory, etc, changing the password will not make a difference. And if someone REALLY wants it (very unlikely), that person can get it without even touching you once.
@varmapano Base password + modify 4-6 chars and locate then in “random” places in the original password string. Help me have sufficiently hard passwords while keeping memorization easier.
Oh, I’ll have to think you the idea of “not” changing my password as you mention. Good thing to consider.
Question for you – I get the concerns around being forced to hand over a password, and so on. If that’s the case, why wouldn’t you use something like TrueCrypt, where you can easily hide encrypted volumes in plain sight, and then have nested volumes, where you can give up a password that reveals one set of content (fake), but a different password reveals the real content. I’m sure you’re aware of this tech already – curious why you’re not using it.
@Matthew Actually, I’m not using this tech and honestly, didn’t know that feature existed. Gotta see if TrueCrypt is available for OS X. Seems like handy misdirection to me!
Yes, TrueCrypt is a great tool. Even the FBI couldn’t crack it. If you use the fake outer container approach, be sure to stock it with normal-looking content that a foreign cop would believe you’d have an interest in encrypting, but is otherwise meaningless.
@Derek I’ve got plenty of “real” data actually, like old presentations and marketing documents, they are welcome to pilfer. That should do quite well. Thanks again for the tip!
That is called “plausible deniability”.
Now that you’ve disclosed your strategy publicly, you cannot reasonably claim “plausible deniability”.
Am I the only one who finds it improbable that you of all people didn’t already know about TrueCrypt?
Is this some sort of “plausible deniability” trick, saying that you didn’t know about it? We’re on to you, Mr. Grossman.
I agree, Trucrypt is a great too, and it’s hidden volumes feature is outstanding for people really interested in privacy and security. Definitely look into it.
Be as it may….. anyone with comprehensive knowledge of encryption schemes and tools can easily determine that there is something awry with a fake… i.e. the RAW information on unmounted disks… If you find yourself in such a precarious situation that you have to reveal your password, ideally you’d want it to destroy the relevant data, no? This message will self destruct in 5 seconds…. POOF!
Hey have you ever put that border crossing reason for encryption to the test? Can you refuse to give password and still get on the plane?
@Ashely Nah, I never been asked. What I have seen are the headlines, laws, tales of others, and law enforcement statements. Makes me nervous. I wanted to be prepped for the first time, which I hope never happens.
Depends on where you are – but you’re definitely not leaving/entering with your electronics. In the U.S. while you don’t have to give your password to police inside the country – you can not withhold your password at the border (without risking confiscation and/or other repercussions).
This is the reason that for most law/financial firms where professionals are traveling internationally no confidential information is stored locally on the computer, and all work needs to be done via vpn/remote desktop…so that there is nothing to find on the computer that was used for travel. I know at some firms, computers (and phones/blackberries) are specially issued for trips to places like china and russia. These are specially secured (usb ports and case seams glued in, encrypted, etc.) and are immediately erased/wiped upon return to the US – since hacking/state surveillance is so prevalent…
Jeremiah,
o You describe basically the same approach that I use: a fully-encrypted disk to keep things secure, with stuff I want kept even-more-secure in encrypted disk images. I documented that on my blog at http://unvexed.blogspot.com/2011/06/how-to-keep-things-secure-in-your.html The additional trick from that post that I’d recommend for you is to consider keeping at least some of your encrypted disk images in a versioning cloud service like Dropbox. (Ideally, since like me you are using a Mac, you’d use encrypted sparse bundle disk images, which are bandwidth-friendly.) The key is the versioning: you can go back in time using their web interface and retrieve a previous version of a file. In this case, that would have allowed you to retrieve a version with your previous password. (A good incremental backup utility like Time Machine–or, for Windows, Acronis True Image–would allow retrieval of an earlier version, too, and since you’re using a Mac I’m curious why Time Machine wouldn’t have allowed you to go far enough back to get to an old-password version of the disk image.) Note 1Password has an option to store its encrypted password file in your Dropbox… a really good idea, IMHO …assuming your 1Password password is a strong one!
o But, you seem to use really big encrypted disk images, which makes cloud storage and electronic transmittal problematic. IMHO, that’s a bad idea for things like storage of short but mission-critical things like password lists. Better to put items like that in a small disk image, maybe 20MB, just big enough for the job, when possible.
o I hope your readers also note your vivid illustration of how beneficial strong passwords are: long ones with lots of random characters that won’t succumb to a dictionary attack, leaving the attacker with only the choice of mounting a massive compute effort. As your experience underscores, the reason this story had a happy ending is because you were able to whittle down the unknown characters in the password to a handful, vastly easing the job of the forensic pros you were working with. Lucky!
Congratulations on your happy ending.
Exactly the same thing happened to a friend of mine a year ago. He changed the LUKS password on his company’s main Linux server, but he never used the new password for some months and neither did he write it down. Then the server was shut down because he was sure he remembered the password, but he couldn’t remember it. The server remained offline for two weeks while I cracked the password using the bits he remembered and a custom parallel program I developed to do the key space exploration. His company survived.
@JoeChip Oh man, they were out of business for two weeks!? Ouch. At leasat I could get SOME work get. That’s bad.
They did do business during that time, but only with new projects, and they redid those that were in progress. All existing information was unavailable, including emails, files, contact information, etc. I’m talking about nearly fifteen people, and they were highly demoralized at the time. It was really painful to see.
Hi Jeremiah
Hair-raising, page-turner of a tale to be sure. Really glad that it came out well. Thanks so much for your candor, decision to share it with us, and your usual excellent writing and documentation. This tale, or a stylized version of it with lessons learned, should be required reading for …, well everybody.
Congratulations to all of you at WhiteHat on your recent round of funding.
Be well
RayK
@Ray Hey! Thanks for the kind words. I’m relieved too! I figure we learn the most from “failures” and life challenges, even in compsec where I’m supposed to be some kind of pro. hah
This is exactly why I always keep paper backup of the master passkey. But, the paper backup is encrypted with light encryption. Why not to use strong one? It really doesn’t matter, the master password is random string and 16 chars long. Then it’s encypted with simple phrase, using substitution, partitioning and transposition. After those steps, I’m confident that the password on paper is also utterly useless to anyone without knownledge how it is encrypted and what the simple passphrase is. The backup key is also hidden outside any reasonable search area.
You should also be aweare of corruption risk of encrypted data. There fore it’s better to always have a off-site backup set with different encryption key(s).
You’re leaving out the scenario where your attorney’s office burns down, or he has an affair and absconds to Latin America just prior to your needing the document. I’m no security professional but many times I feel guilty for leaving all my highly portable and easy to steal devices so vulnerable to these many risks you mention (theft, border inspection, etc.) I’m even more terrible about up to date, local and offsite backup. With miniaturization we really need to reconsider how security is going to work. Eventually every box of Cracker Jack will come with a robotic mosquito that can go steal all your neighbor’s passwords as he types them in. FMRI might even improve to the point you can just read the password off as brain signals as they approach the ATM or iPad. A paper backup is no panacea. In event of your death it might not be found by the people you want to find it. Or alternately it may be found by people you’d rather didn’t find it. The best solution will probably be a loyal robot butler who can manage these things for us. At least one that leads us to believe it is loyal…
@The Dude Think they sell a loyal robot on Amazon? I have Prime!
As long as my data is backed up and protected in such a way that it satisfies my paranoia, I can live with that. I got a few details wrong in my model and I’ll adjust accordingly.
> The best solution will probably be a loyal robot butler
And where do I store the root password for controlling the butler? Turtles (I mean Robot Butlers) all the way down?
Hi
for simple safety I would recommend http://supergenpass.com/customize/
Also I follow the idea of depositing the password some place safe – and by this I do not explicitly mean a lawyer. I suppose parents, grandparents make up for this too.
For myself I decided not to use any encryption on backup files. I can understand your concern about a stolen laptop, and your idea of putting password into encrypted containers is quite nice. Nevertheless – an unencrypted backup, maybe in the vault of your bank – or again at some family member you can trust completely (I want to point out, that in marriage there is sometimes … let’s say .. a problem) is the most appealing to me. If your data is so important to you I think you probably have a backup offsite(!) – just in case the house burns down or a burglar happens to find your data.
Olaf
@Olaf I use different physical locations for my backup data, which is not on a network. The thing is, I’m just as concerned with physical possession being obtained by law enforcement warrant as a robbery. In that sense, a safe is not good enough for protection plain text data.
god damn it you are a massive retard for forgetting your password; just use your pets name next time.
@fucktard my dogs name is $8ahad_^
Had to re-read username. made me blink. Jer, you’re normally so soft spoken. True Laugh Out Loud.
I like your setup in general, but I find the only issue with storing such large amounts of data in a disk image is that you can’t change the password of that image. Even on a semi-regular basis it would be tedious as the only real way of doing it is to create a new disk image with a new password, and then drag all your files across from the old one.
I’m guessing this is what you had to do once your password became known by those involved?
@SG You are exactly right and that is correct. Fortunately I never had to give the DMG in question to anyone. It stayed with me.
“…an awful deficiency in one of them”; care to share a detail or two?
The password :
Part one -> attorney
Part two -> bank vault
@Eric That was one of the deficiencies…. lack of paper backup. Gave too much credit to my memory. I must be getting old or something.
Don’t rely on paper backup. Instead, rely on securely splitting up your password: http://www.moserware.com/2011/11/life-death-and-splitting-secrets.html
@Aleksandr This sounds like a good idea. I’m in the process of reconsidering all my personal computer security habits. This could come in handy. Thanks for sharing!
I have the EXACT same problem, but I just gave up hope. Is there a way I can get ahold of him? I’d certainly pay for his services!
@Jonathan Get ahold of the guys at Stricture? http://stricture-group.com/about.htm Just call the number of hit em up on Twitter.
I will thanks! If I wanted to try my hand at it first, do you have the configuration you used for johntheripper? I successfully compiled the whole thing and dmg2john, but I don’t understand how to setup an incremental search using just select letters on my keyboard
[...] are amongst the world’s foremost experts in password cracking,” Grossman wrote in a blog post describing the odyssey unlocking the crucial files. “If they can’t help, no one can. No [...]
[...] are amongst the world’s foremost experts in password cracking,” Grossman wrote in a blog post describing the odyssey unlocking the crucial files. “If they can’t help, no one can. No [...]
[...] RT @mikko: Great story from @jeremiahg about desperately cracking his own password: blog.whitehatsec.com/cracking-aes-2… [...]
Oh, come on man, after all this you GOTTA share the password with us! I’m dying of curiosity! Besides, I guess you must’ve changed it by now so…. Please?
@Alfred LOL. No chance in hell. Should someone have ever gotten that DMG, somehow, someway, they could unlocked it.
Admit it, Jer, it was hunter2. Or 123456, right?
[...] are amongst the world’s foremost experts in password cracking,” Grossman wrote in a blog post describing the odyssey unlocking the crucial files. “If they can’t help, no one can. [...]
Man, that is one daunting tale. One of my colleagues just went through this, but unlike you, he remembered it two days later. Very glad it worked out for you.
Oh, and thanks for sharing some of things you do. You gave me a number of things that I should be doing as well. I do wonder what the impact of using FileValut is with something like TrueCrypt and Dropbox. I don’t store much of anything locally, but I use a TrueCrypt container which I store on Dropbox.
Any thoughts on that? Any preferences on the use of encrypted containers and the cloud?
And yes, that BJJ BB would hopefully be of some use in the event of a guy coming at you with a wrench.
Tony
For myself, I figure everything that goes into the cloud, or things like Dropbox, is basically public. I’d prefer for my most prized data possessions that people not even get the opportunity to hack at it. For other types of data, that might be perfectly acceptable risk / convenience.
[...] Jeremiah Grossman on ‘Password Cracking AES-256 DMGs and Epic Self-Pwnage’ [...]
loss of a crypto passphrase is such an awful failure mode that i’ve managed to never lose one myself.
your solution was definitely interesting, i like to keep an encrypted offsite copy of my data whenever possible.
My data size was many gigs, so paper backup wasn’t necessarily an option. Fortunately, I came out of the incident relatively unscathed. Not must figure out how best to account for that with a new person security system.
My master password is split using shamir’s secret sharing among very close friends and relatives, and a minimum threshold of passwords from the pool of shared keys is needed to decrypt the password. For good measure I also share the php code to the application.
Not letting DMGs or TrueCrypt volumes “mounted” or “opened” for long periods when unnecessary is a very good idea.
It can be a bit annoying, but its meaningful security trade-off to me.
Use SHA1_Pass to recall your passwords.
Hi Jeremiah,
Very interesting read. I recently launched passguardian.com to help with this exact scenario. It’s a web app that can generate “shares” of a password, each share being a random number that doesn’ t reveal anything about the original password. Reconstructing the password requires only that the “threshold” number of shares are available. Check it out and let me know what you think.
Regards,
Alex
I will do that. Thanks for the tip!
[...] are amongst the world’s foremost experts in password cracking,” Grossman wrote in a blog post describing the odyssey unlocking the crucial files. “If they can’t help, no one can. [...]
Whenever I change my password I force myself to immediately use it at least 3 times right away. This helps embed the be password in my head. So for a DMG I mount, unmount, remount the image several times.
[...] are amongst the world’s foremost experts in password cracking,” Grossman wrote in a blog post describing the odyssey unlocking the crucial files. “If they can’t help, no one can. No [...]
[...] is an educational story about breaking your own, forgotten, [...]
How will this change the way you choose and store passwords?
Working on that now actually. I make changes to my personal behavior this way slowly as a lot of variables needs to be accounted for.
why cracking when you can use Inception?
If you have physical access to the machine you can attach over Thunderbolt…
[...] most shocking security exploits ever: PC WorldWhy US Internet Access Is Slow and Expensive: GizmodoPassword Cracking AES-256 DMGs and Epic Self-Pwnage: [...]
You should consult your attorney (or several) before believing that privilege will protect your information: Attorney-client privilege may cover 1. confidential 2. communications 3. between attorney and client 4. undertaken for the purposes of providing or receiving legal advice. It seems doubtful that the scenario you describe would satisfy all those criteria. There is no privilege for information you’ve merely required your attorney to hold on your behalf without some significant nexus to actual legal advice. Actual assessment and application of criteria varies by jurisdiction. Could you link the provision of the paper backup to counsel with some relevant request for legal advice? That link would still be subject to challenge, evaluation of which might involve limited disclosure to the court, and which, of course, might result in a finding that no attorney-client privilege actually obtains in the document.
[...] Link. Every geek should read. Note he has never thought about what to do if he’d had a head injury. Or died. [...]
SpiderOak offers an encrypted, hands off approach to your data. If you lose the password, you are SOL. Just an idea for a location to store an encrypted password file. 2GB free. More is cheap. TrueCrypt as mentioned is amazing. There is a lot of wizardry you can do with it. ImDisk RAMdrive software to mount IMG in RAM is not bad either. Reboot and everything is cleared out. Doesn’t touch the local drive that way.
[...] Jeremiah Grossman’s Self Pwnage [...]
[...] “Una característica grandiosa de los archivos DMG es que se pueden almacenar en cualquier lugar (ocultos en algún directorio oscuro en la máquina local, en un dispositivo de almacenamiento de red, en una unidad USB… donde sea). Suelo guardar todos mis archivos confidenciales de esta manera, en una serie de archivos DMG cifrados con contraseñas independientes”, comentó Grossman en una publicación en su blog. [...]
[...] Fascynująca opowieść o tym, jak specjalista ds. bezpieczeństwa swoje własne hasło złamać musiał [...]
[...] The dangers of losing your master password - A well-known security researcher, Jeremiah Grossman, shares a great anecdote on how very strong security practices can come back and bite you due to user error. [...]
[...] This isn’t the usual post about some nincompoop making yet another foolish security mistake. It’s about a guy who does (almost) everything right and almost loses it all. Over at the White Hat Security Blog, Jeremiah Grossman tells a chilling tale about the day he forgot a password. [...]
FWIW, I also use one Very Important Password, but there’s little chance I would ever forget it, because I only ever change it if I suspect it may have been revealed. Since I never write it down nor disclose it to anyone, I don’t think this would actually ever happen (especially considering the effort described in this article).
Maybe I missed something, but why not restore the last backup of your disk image (before the password change)? This image should still be encrypted with the old password. Sure, you’ll lose a few hour/days/weeks work, but compared to the alternative of losing it all it seems pretty good?
By the way, I would fully recommend truecrypt instead of your current approach, for many reasons. One is portability, the image can be mounted on OSX, Windows, Linux, etc. Another would be plausible deniability, an encrypted volume is undetectable. A third is the “hidden volume” feature: Decrypt a volume with one key: Get family photos. Decrypt the same volume with another key: get sensitive documents.
I got here from Tidbits and as a casual computer user I am go smacked by what sorts of information All You Big Users must have that requires contemplation of border guards, drugs and torture. I don’t even have a lawyer. Really, truly. I am boggled. My craft tutorials and dog pictures that I so carefully 1Password seem…. Well, they are important to me and my world, so that is what matters. Thank you for sharing your experience! I learned a lot, mostly about what I don’t know enough about to start learning about it. That makes today a good day!
Edie
It sounds like the Truecrypt feature you really need is volume header backup. Have a look around the middle of this page: http://www.truecrypt.org/docs/?s=program-menu … once you backup the volume header, uuencode it, QR encode it, print it, and put THAT in your lawyer’s safe. If you ever lose your password you can restore the header from the printout, even if you’ve changed the password since you created the header backup.
You should stop smoking marijuana!
Wow, what a ride! I haven’t read something like this in a while. My passwords are all 31 characters of random trash, I would never be able to remember them. I better come up with a solution. So I have to consider a print somewhere in a very secret place and should I (gulp) leave it with an attorney or an actual bank vault? I apologise for all the grief you went through, including your wife. Thanks a million for leaving us your experience. Fantastic read and many terrific lessons learned. I would have one problem, I don’t have all those contacts you do. Cheers!
[...] Password Cracking AES-256 DMGs and Epic Self-Pwnage | WhiteHat Security Blog. [...]
[...] What was that password again? [...]
[...] Grossman, CTO of Whitehat Security, stated on his blog after a recent password recovery that required brute-force breaking of his password [...]
Oh dear! I have been in this situation and know so many others who have! I don’t think there is anything worse. We keep so much of our lives on our computers, being locked out feel like you have been locked out of your entire life! If it ever happens again just check out http://www.passwordresetter.com it literally saved my (virtual) life and was sooo quick and easy to use!!!
Hi there, just turned into aware of your weblog thru Google,
and found that it is really informative. I’m going to be careful for brussels. I will be grateful if you happen to continue this in future. Numerous folks can be benefited out of your writing. Cheers!
[...] “A great thing about DMGs is that they can be stored anywhere — hidden in some obscure directory on the local machine, a network storage device, a USB drive, whatever. All my confidential files are typically stored this way, in a series of encrypted DMGs with separate passwords,” said Grossman in a blog post. [...]