[Novalug] Password in Plain Text :(

shawn wilson ag4ve.us@gmail.com
Tue Jul 9 14:43:31 EDT 2013


On Tue, Jul 9, 2013 at 2:26 PM, Derek LaHousse <dlahouss@mtu.edu> wrote:
> http://www.truecrypt.org/docs/header-key-derivation
> Truecrypt uses PBKDF2 to get the encryption key.  Which is the same as
> dmcrypt.  But dmcrypt is in Debian main, whereas Truecrypt isn't.
>
> As for storing the password... You pretty much have to store the password if
> you want it to be entered without human intervention.  You could make use of
> a smartcard (or your TPM) to make it harder to access for Joe Random, but in
> general, root can get it if it's used.
>

Yes, but you can go through abstraction - PBKDF2 does this through
running the password through cycles of hashing (100 is default iirc).
So, basically, take the key, hash it x 100. There might be some
alteration between hashing (truncation or math or whatever) but it's
not really necessary (afaik) the point is to get a max length key to
encrypt data with.

(IIRC again :) ) LUKS even stores the encrypted key in metadata which
defeats half of the point of PBKDF2's multiple hashing for me (the
lock is with the key). But, no matter - use random data for your
password, put it in an AES256 file and kept with you and used to
unlock the LUKS password corrects this.

>
> On Tue, Jul 9, 2013 at 2:21 PM, shawn wilson <ag4ve.us@gmail.com> wrote:
>>
>> On Tue, Jul 9, 2013 at 1:58 PM, Christopher Jones
>> <christopher.donald.jones@gmail.com> wrote:
>> > I was trying to avoid having the password to truecrypt stored on any
>> > volume
>> > that's not truecrypt encrypted. Entering the password is probably the
>> > only
>> > way.
>> >
>> > Still I'm going to check out dmcrypt. The reason I use trucrypt is
>> > because
>> > its successfully stood up against brute force by all sorts of
>> > authorities.
>> > No one has cracked it as far as I know. People were protected in court
>> > because of truecrypt.
>> >
>>
>> No one has cracked what?
>> http://www.soldierx.com/bbs/201306/oclHashcat-plus-cracks-TrueCrypt
>>
>> Basically, how long and complex is your password? If your password is
>> <13 characters and I've got decent rules and enough power, it's
>> completely doable - there are too many variables (and I don't know
>> what algo TrueCrypt uses) so I can't even start to guess on time, just
>> saying the software is there.
>>
>> Ooh, and jtr can do it too:
>> http://www.openwall.com/lists/john-users/2012/07/22/3
>>
>> Basically, no crypto is unbreakable - it's all about time.
>>
>> >
>> > On Tue, Jul 9, 2013 at 12:33 PM, Derek LaHousse <dlahouss@mtu.edu>
>> > wrote:
>> >>
>> >> Why not have truecrypt read a keyfile, rather than a password?  Also,
>> >> while I'm not a fan of truecrypt, it may take "-" as an option to -p,
>> >> allowing you to pipe in the file containing the password like so:
>> >> truecrypt -p - other options < credentials.key
>> >>
>> >> If truecrypt doesn't take the file this way, you need a better
>> >> encryption
>> >> software.  Might I recommend dm-crypt?
>> >>
>> >>
>> >> On Mon, Jul 8, 2013 at 2:53 PM, Christopher Jones
>> >> <christopher.donald.jones@gmail.com> wrote:
>> >>>
>> >>> I was using entry via cli but it was hiding the password. The problem
>> >>> was
>> >>> that the script passed the password into an option like this :
>> >>>
>> >>> truecrypt mount /dev/sde/ -p "password"
>> >>>
>> >>> so even if it was in a file it would pass that command line option
>> >>> eventually and still show up with a "ps -aux"
>> >>>
>> >>> what I did instead was just call the truecrypt cli with the mount
>> >>> point
>> >>> and entered the password (not in the script) when prompted by
>> >>> truecrypt
>> >>> running as root.
>> >>>
>> >>> then the script calls keepassx and thats a gui tool only so I put the
>> >>> password in there as well.
>> >>>
>> >>> All this is running as root. And as far as I know that's the way it
>> >>> should be to protect the passwords.
>> >>>
>> >>>
>> >>> On Mon, Jul 8, 2013 at 12:56 PM, James Ewing Cottrell, III
>> >>> <jecottrell3@comcast.net> wrote:
>> >>>>
>> >>>> OOPS! You goofed, Richard.
>> >>>>
>> >>>> What you mean is "> /dev/null".
>> >>>>
>> >>>> Standard Best Practice when dealing with plaintext passwords is:
>> >>>>
>> >>>> [1] Type them in as a User
>> >>>> [2] Put them in a File and read from that.
>> >>>>
>> >>>> They should never:
>> >>>>
>> >>>> [3] go on a command line (using `cat file` is prohibited too)
>> >>>> [4] go in your environment (that is readable by PS too)
>> >>>> [5] be embedded in a script (use [2] instead).
>> >>>>
>> >>>> Making PS non-executable is Not An Option!
>> >>>>
>> >>>> JIM
>> >>>>
>> >>>> ----- Original Message -----
>> >>>> From: "Roger W. Broseus" <rogerb@bronord.com>
>> >>>> To: novalug@calypso.tux.org
>> >>>> Sent: Friday, July 5, 2013 10:17:22 PM
>> >>>> Subject: Re: [Novalug] Password in Plain Text :(
>> >>>>
>> >>>>
>> >>>>
>> >>>> Perhaps the final output is going to standard output, i.e., tty
>> >>>> (terminal).
>> >>>>
>> >>>> You might try piping by adding
>> >>>>
>> >>>>
>> >>>> | /dev/null
>> >>>> /dev/null is a nice place to send stuff you never want to see again.
>> >>>>
>> >>>> I'd be curious to know if this works.
>> >>>>
>> >>>> Aside: how "big" is the phantom character "null?" Same as a "normal"
>> >>>> character.
>> >>>> --
>> >>>> Roger W. Broseus - Linux User
>> >>>>     Email: RogerB@bronord.com Web Site: www.bronord.com On 07/05/2013
>> >>>> 08:34 PM, novalug-request@calypso.tux.org wrote:
>> >>>>
>> >>>>
>> >>>> Message: 2
>> >>>> Date: Fri, 5 Jul 2013 19:48:56 -0400
>> >>>> From: Christopher Jones <christopher.donald.jones@gmail.com> Subject:
>> >>>> [Novalug] Password in Plain Text :(
>> >>>> To: Novalug <Novalug@calypso.tux.org> Message-ID:
>> >>>> <CADJBR=Cw1w9AfuF2zBzF=fD52YsLxBUZK9RTWACz7V9yVjYa9A@mail.gmail.com>
>> >>>> Content-Type: text/plain; charset="iso-8859-1"
>> >>>>
>> >>>> So I use encryption software to encrypt some data 2x with two
>> >>>> different
>> >>>> applications.
>> >>>>
>> >>>> I made a script that opens each one at a time and passes a password
>> >>>> entered
>> >>>> from the CLI to each one. The problem is the commands are listed in
>> >>>> plain
>> >>>> text when i run
>> >>>>
>> >>>> ps -aux | grep the app
>> >>>>
>> >>>> so I get somethign like
>> >>>>
>> >>>> commandtomountencrypted volume -p "clear text password"
>> >>>>
>> >>>> Now the script its self doesn't show the password when im typing it.
>> >>>> Is
>> >>>> there any way I can stop the command from showing the options in a ps
>> >>>> output? Specifically hiding the password option?
>> >>>>
>> >>>> Thanks.
>> >>>> --
>> >>>> Chris Jones
>> >>>> RHCSA
>> >>>>
>> >>>> _______________________________________________
>> >>>> Novalug mailing list
>> >>>> Novalug@calypso.tux.org
>> >>>> http://calypso.tux.org/mailman/listinfo/novalug
>> >>>> _______________________________________________
>> >>>> Novalug mailing list
>> >>>> Novalug@calypso.tux.org
>> >>>> http://calypso.tux.org/mailman/listinfo/novalug
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> Chris Jones
>> >>> RHCSA
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> Novalug mailing list
>> >>> Novalug@calypso.tux.org
>> >>> http://calypso.tux.org/mailman/listinfo/novalug
>> >>>
>> >>
>> >
>> >
>> >
>> > --
>> > Chris Jones
>> > RHCSA
>> >
>> >
>> > _______________________________________________
>> > Novalug mailing list
>> > Novalug@calypso.tux.org
>> > http://calypso.tux.org/mailman/listinfo/novalug
>> >
>> _______________________________________________
>> Novalug mailing list
>> Novalug@calypso.tux.org
>> http://calypso.tux.org/mailman/listinfo/novalug
>
>



More information about the Novalug mailing list