Bitcoin Forum
November 09, 2024, 08:13:48 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: Is Dropbox a safe place keep my TrueCrypted BTC wallet backup?  (Read 5313 times)
keatonatron
Sr. Member
****
Offline Offline

Activity: 308
Merit: 250


Jack of oh so many trades.


View Profile
June 20, 2013, 11:43:40 AM
 #21

How easy is it, really, to bruteforce a truecrypt file when the password is 35 characters long? Is bruteforce the only way? It seems like dropbox would be okay if your file is encrypted properly and doesn't stand out. If you name it something random like "charset.dll" or something, who would really spend that much time on it?

Better yet, hide it in a folder with some program that already has a bunch of .dll or .dat files, so it looks like it's just one of the require components  Cool

1KEATSvAhbB7yj2baLB5xkyJSnkfqPGAqk
favdesu
Legendary
*
Offline Offline

Activity: 1764
Merit: 1000



View Profile WWW
June 20, 2013, 11:46:44 AM
 #22

How easy is it, really, to bruteforce a truecrypt file when the password is 35 characters long? Is bruteforce the only way? It seems like dropbox would be okay if your file is encrypted properly and doesn't stand out. If you name it something random like "charset.dll" or something, who would really spend that much time on it?

Better yet, hide it in a folder with some program that already has a bunch of .dll or .dat files, so it looks like it's just one of the require components  Cool

IIRC 8 chars take more than a life-time.

SirMintALot
Full Member
***
Offline Offline

Activity: 140
Merit: 100


In POS we trust


View Profile
June 22, 2013, 10:58:55 AM
 #23

Truecrypt? LOL ... it can be cracked in no time with some Radeon GPUs:
http://hashcat.net/forum/thread-2301.html

BTC: 142BHpdq4wey7PC3Cp5QiUoshF19u3yvHN LTC: LbiEUDYjohwpXnv1Gd4LvdGr1Jr1M5Usjc NMC: N3eeYkWqeLFWBJRmS3WyU1zz6WgKkjEVtb
IXC: xtR8uc2EFGWFJgrVEgZZ5yvRsWKhwAg8ZH DVC: 18oVWfSqHjvhJEuHHxsDpCfBeDMuLWyh5p CLR: CGZGWW16sooX69PJBEtJH2Xmo4KFupkow7
PPC: PLJ5uzFw21FkKdSrmfccT3MqubSfSB4soE YAC: Y7FM89AiFhWKBcXh2BzzRaw4eUAYkreXbs LBW: 5ygEWM7dMjeUV2sBeppTvkTTXCkeREKqf2
I0C: jatiogvXJYhK7auegbjPnQRV3kQgFvz482 JPU: JE7fhhPfP1Kjyd1hj8zevNsf7THeMqHo6A NVC: 4Hvecu2fzC2rCwYbKBeYXr8y9pdAZLFZHH
mprep
Global Moderator
Legendary
*
Offline Offline

Activity: 3794
Merit: 2612


In a world of peaches, don't ask for apple sauce


View Profile WWW
June 22, 2013, 11:21:37 AM
 #24

Truecrypt? LOL ... it can be cracked in no time with some Radeon GPUs:
http://hashcat.net/forum/thread-2301.html
Seems like a shitty encryption if it's that easy.

worldinacoin
Hero Member
*****
Offline Offline

Activity: 756
Merit: 500



View Profile
June 22, 2013, 11:22:46 AM
 #25

The safest will be to keep your backup wallet in an offline USB drive.
mprep
Global Moderator
Legendary
*
Offline Offline

Activity: 3794
Merit: 2612


In a world of peaches, don't ask for apple sauce


View Profile WWW
June 22, 2013, 11:27:01 AM
 #26

The safest will be to keep your backup wallet in an offline USB drive.
...in a safe, sunken in the deepest ocean.

SirMintALot
Full Member
***
Offline Offline

Activity: 140
Merit: 100


In POS we trust


View Profile
June 22, 2013, 11:51:24 AM
 #27

Truecrypt? LOL ... it can be cracked in no time with some Radeon GPUs:
http://hashcat.net/forum/thread-2301.html
Seems like a shitty encryption if it's that easy.
I guess it was a short password to prove it is working, as it was done in 40 seconds with two 6990.
This is only the beginning, the programmer has speed up the whirlpool hashing now by 58% and yet to work on cascaded modes.
But the times where Truecrypt was secure will be surely over soon, when you now can hack every windows password with a 25 GPU cluster (10x HD 7970, 4x HD 5970 (dual GPU), 3x HD 6990 (dual GPU), 1x HD 5870):
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/

BTC: 142BHpdq4wey7PC3Cp5QiUoshF19u3yvHN LTC: LbiEUDYjohwpXnv1Gd4LvdGr1Jr1M5Usjc NMC: N3eeYkWqeLFWBJRmS3WyU1zz6WgKkjEVtb
IXC: xtR8uc2EFGWFJgrVEgZZ5yvRsWKhwAg8ZH DVC: 18oVWfSqHjvhJEuHHxsDpCfBeDMuLWyh5p CLR: CGZGWW16sooX69PJBEtJH2Xmo4KFupkow7
PPC: PLJ5uzFw21FkKdSrmfccT3MqubSfSB4soE YAC: Y7FM89AiFhWKBcXh2BzzRaw4eUAYkreXbs LBW: 5ygEWM7dMjeUV2sBeppTvkTTXCkeREKqf2
I0C: jatiogvXJYhK7auegbjPnQRV3kQgFvz482 JPU: JE7fhhPfP1Kjyd1hj8zevNsf7THeMqHo6A NVC: 4Hvecu2fzC2rCwYbKBeYXr8y9pdAZLFZHH
mprep
Global Moderator
Legendary
*
Offline Offline

Activity: 3794
Merit: 2612


In a world of peaches, don't ask for apple sauce


View Profile WWW
June 22, 2013, 11:55:36 AM
 #28

Truecrypt? LOL ... it can be cracked in no time with some Radeon GPUs:
http://hashcat.net/forum/thread-2301.html
Seems like a shitty encryption if it's that easy.
I guess it was a short password to prove it is working, as it was done in 40 seconds with two 6990.
This is only the beginning, the programmer has speed up the whirlpool hashing now by 58% and yet to work on cascaded modes.
But the times where Truecrypt was secure will be surely over soon, when you now can hack every windows password with a 25 GPU cluster (10x HD 7970, 4x HD 5970 (dual GPU), 3x HD 6990 (dual GPU), 1x HD 5870):
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/
Guess you can hack everything if you want to and have good equipment sooner or later.

voneiden
Newbie
*
Offline Offline

Activity: 18
Merit: 0


View Profile
June 22, 2013, 12:45:38 PM
 #29

Truecrypt? LOL ... it can be cracked in no time with some Radeon GPUs:
http://hashcat.net/forum/thread-2301.html
Seems like a shitty encryption if it's that easy.

Quote
PBKDF2-HMAC-SHA512 / AES: 95 kHash/s

Yeah.. it's gonna take 72 years to crack a 8 letter alphanumeric password.
mprep
Global Moderator
Legendary
*
Offline Offline

Activity: 3794
Merit: 2612


In a world of peaches, don't ask for apple sauce


View Profile WWW
June 22, 2013, 12:47:35 PM
 #30

Truecrypt? LOL ... it can be cracked in no time with some Radeon GPUs:
http://hashcat.net/forum/thread-2301.html
Seems like a shitty encryption if it's that easy.

Quote
PBKDF2-HMAC-SHA512 / AES: 95 kHash/s

Yeah.. it's gonna take 72 years to crack a 8 letter alphanumeric password.
Then it's not so shitty after all, is it? I'm a noob in encryption, anyone got any counter arguments?

SirMintALot
Full Member
***
Offline Offline

Activity: 140
Merit: 100


In POS we trust


View Profile
June 22, 2013, 03:13:19 PM
 #31

PBKDF2-HMAC-SHA512 / AES: 95 kHash/s
PBKDF2-HMAC-RipeMD160 boot-mode / AES: 451 kHash/s

OK, RipeMD took 40 seconds, SHA512 is 5 times slower, so it will take 10 minutes. Let's guess it was a simple password, it would take much longer with a better SHA512 password. But then remember it was just two HD6990. Let's see what we can do with a Cluster of 25 Titans: 25 x 163.0 kH/s = 4075 kHash/s. Or with a cluster of 25 HD7970: 25 x 233.0 kH/s = 5825 kHash/s.

You also have to take into consideration that you don't have to find the exact passphrase for pasword cracking, you just have to find a combination of symbols that gives you the exact same hash. d7a8fbb307d7809469ca9abcb0082e4f8d5651e46d3cdb762d02d0bf37c9e592 is the SHA256 hash of "The quick brown fox jumps over the lazy dog". So "a!kL07gS1" might give you the same hash (it is just an example, it doesn't have the same hash) and you could decrypt the file with that as well. So what can you do for more security is either using a hashfunktion that generates a longer hash (07e547d9586f6a73f73fbac0435ed76951218fb7d0c8d788a309d785436bbb642e93a252a954f23 912547d1e8a3b5ed6e1bfd7097821233fa0538f3db854fee6 is the SHA512 hash of "The quick brown fox jumps over the lazy dog") or using an slow algorythm like blowfish. But with more hashing power the time needed to solve even those puzzles gets shorter. Just imagine what you could do with the 138 Thash/s SHA256 hashpower that the bitcoin network currently has LOL. Sure not much people here would have the money to build a cluster of 200 Titan, HD7970 or Xeon Phi just to crack some passwords, but it's no problem for the secret services (Do I hear Prism or GCHQ? Wink) or some criminal organisations to do this.

BTC: 142BHpdq4wey7PC3Cp5QiUoshF19u3yvHN LTC: LbiEUDYjohwpXnv1Gd4LvdGr1Jr1M5Usjc NMC: N3eeYkWqeLFWBJRmS3WyU1zz6WgKkjEVtb
IXC: xtR8uc2EFGWFJgrVEgZZ5yvRsWKhwAg8ZH DVC: 18oVWfSqHjvhJEuHHxsDpCfBeDMuLWyh5p CLR: CGZGWW16sooX69PJBEtJH2Xmo4KFupkow7
PPC: PLJ5uzFw21FkKdSrmfccT3MqubSfSB4soE YAC: Y7FM89AiFhWKBcXh2BzzRaw4eUAYkreXbs LBW: 5ygEWM7dMjeUV2sBeppTvkTTXCkeREKqf2
I0C: jatiogvXJYhK7auegbjPnQRV3kQgFvz482 JPU: JE7fhhPfP1Kjyd1hj8zevNsf7THeMqHo6A NVC: 4Hvecu2fzC2rCwYbKBeYXr8y9pdAZLFZHH
cp1
Hero Member
*****
Offline Offline

Activity: 616
Merit: 500


Stop using branwallets


View Profile
June 22, 2013, 04:07:24 PM
 #32

Truecrypt? LOL ... it can be cracked in no time with some Radeon GPUs:
http://hashcat.net/forum/thread-2301.html

Thanks for the link, I was looking if hashcat had been used for anything besides password hashes, but hadn't found this.

Guide to armory offline install on USB key:  https://bitcointalk.org/index.php?topic=241730.0
voneiden
Newbie
*
Offline Offline

Activity: 18
Merit: 0


View Profile
June 22, 2013, 09:06:02 PM
 #33

Then it's not so shitty after all, is it? I'm a noob in encryption, anyone got any counter arguments?

Well, it's just bruteforcing passphrases. For every character you add to the passphrase length, you change the difficulty of bruteforcing quite a lot. Let me demonstrate

Just imagine what you could do with the 138 Thash/s SHA256 hashpower that the bitcoin network currently has LOL.

OK, lets imagine. [source: http://calc.opensecurityresearch.com/ ]

Bruteforcing SHA256 at 138 terahash/s when key length is.. (oh, I just checked: according to blockchain.info the hashrate is today 174 terahash/s)
8: less than a second (lowercase alphanumeric) | 1 second (mixed alphanumeric)
9: less than a second | 1 minute 39 seconds
10: 27 seconds | 1 hour 43 minutes
11: 16 minutes | 4 days
12: 10 hours | 275 days
13: 15 days | 47 years
20: 3 billion years | 164 trillion years
256 lowercase alphanumeric characters (SHA256 hash):  Huh

So keep your passphrases long. I suppose to maximize key strength one could hash the passphrase before using any standard truecrypt algorithm. It's rather likely that an attacker would attempt to bruteforce against a known hashing algorithm (or a sequence of them), so that's one more hindrance.
Foxpup
Legendary
*
Offline Offline

Activity: 4533
Merit: 3183


Vile Vixen and Miss Bitcointalk 2021-2023


View Profile
June 23, 2013, 02:56:24 AM
 #34

If you name it something random like "charset.dll" or something, who would really spend that much time on it?

Better yet, hide it in a folder with some program that already has a bunch of .dll or .dat files, so it looks like it's just one of the require components  Cool
This a Bad Idea. The file's internal metadata (which is what anyone searching for a needle in a stack of needles will be looking at) will be a dead giveaway. Renaming a file with a different extension will not conceal it at all, and may actually make it even more conspicuous with tools that automatically flag files whose filename extension doesn't match the internal metadata. Security through obscurity doesn't work at all.

Will pretend to do unspeakable things (while actually eating a taco) for bitcoins: 1K6d1EviQKX3SVKjPYmJGyWBb1avbmCFM4
I am not on the scammers' paradise known as Telegram! Do not believe anyone claiming to be me off-forum without a signed message from the above address! Accept no excuses and make no exceptions!
Capitalism Prevails (OP)
Full Member
***
Offline Offline

Activity: 137
Merit: 100



View Profile
June 23, 2013, 03:02:06 AM
 #35

If you name it something random like "charset.dll" or something, who would really spend that much time on it?

Better yet, hide it in a folder with some program that already has a bunch of .dll or .dat files, so it looks like it's just one of the require components  Cool
This a Bad Idea. The file's internal metadata (which is what anyone searching for a needle in a stack of needles will be looking at) will be a dead giveaway. Renaming a file with a different extension will not conceal it at all, and may actually make it even more conspicuous with tools that automatically flag files whose filename extension doesn't match the internal metadata. Security through obscurity doesn't work at all.

It depends on how thorough the hacker is.

BTC:  1KX3MSyeHoubjvRMvkc4DXBXvEx9fr9cvV                              Strength In Numbers
LTC:  LaGawfU1ZJu33Lj6CX6NJ5WXWsfjPbLLLW                          In Cryptography We Trust
NMC:  N5EUwGbCNF1AYmZqNu9J7aYJVKxqbJoJG8          Cut Off One Node, Two More Will Take Its Place
keatonatron
Sr. Member
****
Offline Offline

Activity: 308
Merit: 250


Jack of oh so many trades.


View Profile
June 23, 2013, 07:39:20 AM
 #36

If you name it something random like "charset.dll" or something, who would really spend that much time on it?

Better yet, hide it in a folder with some program that already has a bunch of .dll or .dat files, so it looks like it's just one of the require components  Cool
This a Bad Idea. The file's internal metadata (which is what anyone searching for a needle in a stack of needles will be looking at) will be a dead giveaway. Renaming a file with a different extension will not conceal it at all, and may actually make it even more conspicuous with tools that automatically flag files whose filename extension doesn't match the internal metadata. Security through obscurity doesn't work at all.

Do we know what a truecrypt file's metadata contains?

I would assume it doesn't have any, for the obvious security reasons. Yes, you could immediately know the file doesn't match its extension, but if that's the case you could throw in a bunch of red herrings as well! Take a random jpg, encrypt it with 40 different passwords and put them all in the same place. They'd have a 1 in 41 chance of choosing the right file to start with.

For the JPG's you could use embarrassing party photos, which provides motivation for the encryption, but no value to the hacker--so they would assume all the files are the same and there is no reason to keep cracking them.

The most important thing is probably keeping a low profile AND hiding your stuff. No one's going to look very hard if they don't suspect something is there.

1KEATSvAhbB7yj2baLB5xkyJSnkfqPGAqk
CYPER
Hero Member
*****
Offline Offline

Activity: 812
Merit: 502



View Profile
October 08, 2013, 04:10:40 PM
 #37

My wallet.dat is encrypted via the Bitcoin-QT and then put inside an an encrypted rar archive. Both passwords are 190 bits according to KeePass (30 characters long mixture).

Why is that not secure if I put it on Dropbox?
favdesu
Legendary
*
Offline Offline

Activity: 1764
Merit: 1000



View Profile WWW
October 08, 2013, 05:20:39 PM
 #38

you can put your truecrypted wallet to any filehoster you want. mh, why not torrent it? Cheesy

it's safe.

RodeoX
Legendary
*
Offline Offline

Activity: 3066
Merit: 1147


The revolution will be monetized!


View Profile
October 08, 2013, 05:33:01 PM
 #39

My wallet.dat is encrypted via the Bitcoin-QT and then put inside an an encrypted rar archive. Both passwords are 190 bits according to KeePass (30 characters long mixture).

Why is that not secure if I put it on Dropbox?
Because I know it's there now?
No, you have some strength with that system. Even if someone got the wallet you have a long time to move the coins out of it.

The gospel according to Satoshi - https://bitcoin.org/bitcoin.pdf
Free bitcoin in ? - Stay tuned for this years Bitcoin hunt!
CYPER
Hero Member
*****
Offline Offline

Activity: 812
Merit: 502



View Profile
October 08, 2013, 08:50:10 PM
 #40

My wallet.dat is encrypted via the Bitcoin-QT and then put inside an an encrypted rar archive. Both passwords are 190 bits according to KeePass (30 characters long mixture).

Why is that not secure if I put it on Dropbox?
Because I know it's there now?
No, you have some strength with that system. Even if someone got the wallet you have a long time to move the coins out of it.

But I I will never find out if someone have a copy of my wallet.dat.
Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!