[Novalug] Password in Plain Text :(

shawn wilson ag4ve.us@gmail.com
Tue Jul 9 14:21:28 EDT 2013


On Tue, Jul 9, 2013 at 1:58 PM, Christopher Jones
<christopher.donald.jones@gmail.com> wrote:
> I was trying to avoid having the password to truecrypt stored on any volume
> that's not truecrypt encrypted. Entering the password is probably the only
> way.
>
> Still I'm going to check out dmcrypt. The reason I use trucrypt is because
> its successfully stood up against brute force by all sorts of authorities.
> No one has cracked it as far as I know. People were protected in court
> because of truecrypt.
>

No one has cracked what?
http://www.soldierx.com/bbs/201306/oclHashcat-plus-cracks-TrueCrypt

Basically, how long and complex is your password? If your password is
<13 characters and I've got decent rules and enough power, it's
completely doable - there are too many variables (and I don't know
what algo TrueCrypt uses) so I can't even start to guess on time, just
saying the software is there.

Ooh, and jtr can do it too:
http://www.openwall.com/lists/john-users/2012/07/22/3

Basically, no crypto is unbreakable - it's all about time.

>
> On Tue, Jul 9, 2013 at 12:33 PM, Derek LaHousse <dlahouss@mtu.edu> wrote:
>>
>> Why not have truecrypt read a keyfile, rather than a password?  Also,
>> while I'm not a fan of truecrypt, it may take "-" as an option to -p,
>> allowing you to pipe in the file containing the password like so:
>> truecrypt -p - other options < credentials.key
>>
>> If truecrypt doesn't take the file this way, you need a better encryption
>> software.  Might I recommend dm-crypt?
>>
>>
>> On Mon, Jul 8, 2013 at 2:53 PM, Christopher Jones
>> <christopher.donald.jones@gmail.com> wrote:
>>>
>>> I was using entry via cli but it was hiding the password. The problem was
>>> that the script passed the password into an option like this :
>>>
>>> truecrypt mount /dev/sde/ -p "password"
>>>
>>> so even if it was in a file it would pass that command line option
>>> eventually and still show up with a "ps -aux"
>>>
>>> what I did instead was just call the truecrypt cli with the mount point
>>> and entered the password (not in the script) when prompted by truecrypt
>>> running as root.
>>>
>>> then the script calls keepassx and thats a gui tool only so I put the
>>> password in there as well.
>>>
>>> All this is running as root. And as far as I know that's the way it
>>> should be to protect the passwords.
>>>
>>>
>>> On Mon, Jul 8, 2013 at 12:56 PM, James Ewing Cottrell, III
>>> <jecottrell3@comcast.net> wrote:
>>>>
>>>> OOPS! You goofed, Richard.
>>>>
>>>> What you mean is "> /dev/null".
>>>>
>>>> Standard Best Practice when dealing with plaintext passwords is:
>>>>
>>>> [1] Type them in as a User
>>>> [2] Put them in a File and read from that.
>>>>
>>>> They should never:
>>>>
>>>> [3] go on a command line (using `cat file` is prohibited too)
>>>> [4] go in your environment (that is readable by PS too)
>>>> [5] be embedded in a script (use [2] instead).
>>>>
>>>> Making PS non-executable is Not An Option!
>>>>
>>>> JIM
>>>>
>>>> ----- Original Message -----
>>>> From: "Roger W. Broseus" <rogerb@bronord.com>
>>>> To: novalug@calypso.tux.org
>>>> Sent: Friday, July 5, 2013 10:17:22 PM
>>>> Subject: Re: [Novalug] Password in Plain Text :(
>>>>
>>>>
>>>>
>>>> Perhaps the final output is going to standard output, i.e., tty
>>>> (terminal).
>>>>
>>>> You might try piping by adding
>>>>
>>>>
>>>> | /dev/null
>>>> /dev/null is a nice place to send stuff you never want to see again.
>>>>
>>>> I'd be curious to know if this works.
>>>>
>>>> Aside: how "big" is the phantom character "null?" Same as a "normal"
>>>> character.
>>>> --
>>>> Roger W. Broseus - Linux User
>>>>     Email: RogerB@bronord.com Web Site: www.bronord.com On 07/05/2013
>>>> 08:34 PM, novalug-request@calypso.tux.org wrote:
>>>>
>>>>
>>>> Message: 2
>>>> Date: Fri, 5 Jul 2013 19:48:56 -0400
>>>> From: Christopher Jones <christopher.donald.jones@gmail.com> Subject:
>>>> [Novalug] Password in Plain Text :(
>>>> To: Novalug <Novalug@calypso.tux.org> Message-ID:
>>>> <CADJBR=Cw1w9AfuF2zBzF=fD52YsLxBUZK9RTWACz7V9yVjYa9A@mail.gmail.com>
>>>> Content-Type: text/plain; charset="iso-8859-1"
>>>>
>>>> So I use encryption software to encrypt some data 2x with two different
>>>> applications.
>>>>
>>>> I made a script that opens each one at a time and passes a password
>>>> entered
>>>> from the CLI to each one. The problem is the commands are listed in
>>>> plain
>>>> text when i run
>>>>
>>>> ps -aux | grep the app
>>>>
>>>> so I get somethign like
>>>>
>>>> commandtomountencrypted volume -p "clear text password"
>>>>
>>>> Now the script its self doesn't show the password when im typing it. Is
>>>> there any way I can stop the command from showing the options in a ps
>>>> output? Specifically hiding the password option?
>>>>
>>>> Thanks.
>>>> --
>>>> Chris Jones
>>>> RHCSA
>>>>
>>>> _______________________________________________
>>>> Novalug mailing list
>>>> Novalug@calypso.tux.org
>>>> http://calypso.tux.org/mailman/listinfo/novalug
>>>> _______________________________________________
>>>> Novalug mailing list
>>>> Novalug@calypso.tux.org
>>>> http://calypso.tux.org/mailman/listinfo/novalug
>>>
>>>
>>>
>>>
>>> --
>>> Chris Jones
>>> RHCSA
>>>
>>>
>>> _______________________________________________
>>> Novalug mailing list
>>> Novalug@calypso.tux.org
>>> http://calypso.tux.org/mailman/listinfo/novalug
>>>
>>
>
>
>
> --
> Chris Jones
> RHCSA
>
>
> _______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/mailman/listinfo/novalug
>



More information about the Novalug mailing list