From: Ohm on
I have encrypted my data with this passphrase (example passphrase):

()Hnnn&&/7+BarakObama

If I understand it correctly a brute force attack will keep trying
dictionary words
until it finds a match.

My concern is this, will an attacker find out every single digit of my
passphrase
while cracking it or do they have to wait to get to get the whole pass
phrase before
knowing what it was?

I am thinking that once an attacker has seen that my passphrase is
composed of:

()Hnnn&&/7+Barak

They may stop cracking and try Obama next after they have found the word
Barak,
this could make it quicker for them to crack the pass phrase.

Am I correct in this?

Thank you
From: mike clark on
On Jun 4, 5:41 am, Ohm <O...(a)no.no> wrote:
> I have encrypted my data with this passphrase (example passphrase):
>
> ()Hnnn&&/7+BarakObama
>
> If I understand it correctly a brute force attack will keep trying  
> dictionary words
> until it finds a match.
>
> My concern is this, will an attacker find out every single digit of my  
> passphrase
> while cracking it or do they have to wait to get to get the whole pass  
> phrase before
> knowing what it was?
>
> I am thinking that once an attacker has seen that my passphrase is  
> composed of:
>
> ()Hnnn&&/7+Barak
>
> They may stop cracking and try Obama next after they have found the word  
> Barak,
> this could make it quicker for them to crack the pass phrase.
>
> Am I correct in this?
>
> Thank you

Most likely they will have to get the whole password. In my undergrad
security class, however, we talked about an old OS (can't remember
which one) that would check the password one character at a time. An
attacker could then use timing analysis to crack the password letter
by letter. In that case, yes, it might make the brute force of
something like you described easier. With any modern OS the attacker
will have to get the entire password though.
From: Maaartin on
On Jun 4, 4:01 pm, mike clark <m...(a)netadv.net> wrote:
> Most likely they will have to get the whole password. In my undergrad
> security class, however, we talked about an old OS (can't remember
> which one) that would check the password one character at a time. An
> attacker could then use timing analysis to crack the password letter
> by letter. In that case, yes, it might make the brute force of
> something like you described easier. With any modern OS the attacker
> will have to get the entire password though.

Unless you use Windows with "LM hash", which is AFAIK still on by
default. But I'm far from calling it a modern system.
From: Stewart Malik on
> Unless you use Windows with "LM hash", which is AFAIK still on by
> default. But I'm far from calling it a modern system.

Since Vista NTLM hashing was used. Don't know why it's still insecure.

From: Maaartin on
On Jun 6, 3:20 am, Stewart Malik <mali0...(a)gmail.com> wrote:
> > Unless you use Windows with "LM hash", which is AFAIK still on by
> > default. But I'm far from calling it a modern system.
>
> Since Vista NTLM hashing was used. Don't know why it's still insecure.

I don't know *if* it's still insecure. But who cares about Vista? For
kiddies the fancy look&feel may be important, but many businesses
don't want to pay the cost for the transfer and risk that nothing more
work. Companies are still running XP or Server 2000, etc.

However, the "ideas" behind the LM hash are simply criminal:
- processing the password in 7 char long chunks.
- converting into uppercase
- restricting to ANSI charset
- missing salt
Something as stupid as this might be acceptable for a freeware made by
a small company, but not when made by a monopolist OS vendor.

They should have been ordered to switch it off immediately and pay for
all the resulting costs.