Episode #1: Crypting a full Windows computer with TrueCrypt
Time and time again we hear stories of laptops with sensitive data being stolen or people going to other people’s computers without permission. Fortunately there is a simpel solution to prevent data from leaking out like this. TrueCrypt, an open source package, offers the option of encrypting an entire Windows-computer. It does take sometime to set it up, but it isn’t all that hard. In this episode I show you how to do this with just a few clicks of the mouse and a couple of reboots. It’s so simpel that you should ask yourself, why you haven’t done this yet. Well: Go for it!
Truecrypt provides excellent whole disk, partial disk, and “virtual partition/volume” encryption, no doubt about it. However, there’s a catch. Your data is really only as safe as the physical environment you keep it in.
see:
http://www.nytimes.com/2008/02/22/technology/22chip.html
for one of many ways your computer can be compromised.
Basically, almost nothing can stop a determined and resourceful attacker with physical access to your computer.
That said keeping your truecrypt volumes in an unmounted state may be a good safety precaution. another would be to use whole drive encryption and then using truecrypt volumes within that, which you keep unmounted.
Also, choose strong passwords. strong passwords that you can remember. but never store your password on your computer unencrypted, because your hard drive can be downloaded to someone elses hard drive and ALL strings in the drive can be added to a password cracking dictionary.
A trick i use is to take a password i have been using for a while, and then mutate it on paper, while keeping the way i pronounce it in my had. Say i used chose the word “macbookair” (I didnt, and you shouldnt because its now public, but this was a good password for a base because it takes three dictionary words and puts them togather for my password). Then what i might do is capitalize certain letters and change the o to 0: MacB00kAir, now i add some more shifts and it looks like MacB))kAir or maybe i move some things around and its now nACb))K02 (02 for air). This might seem diffucult, but once you have a strong password like this, there’s no need to change it often (some may disagree) and once its memorized and you use it every day for a week, its memorized.
Ok, there’s my 3 cents
Thanks for the podcast Brenno!
Can you say something about TrueCrypt compared to FileVault ( http://en.wikipedia.org/wiki/FileVault ) the encryption facility that is embedded in Mac OS X please?
Hi there, I was looking around for a while searching for physical computer security and I happened upon this site and your post regarding Episode #1: Crypting a full Windows computer with TrueCrypt, I will definitely this to my physical computer security bookmarks!
Hello, I was looking around for a while searching for computer physical security and I happened upon this site and your post regarding Episode #1: Crypting a full Windows computer with TrueCrypt, I will definitely this to my computer physical security bookmarks!
Hello, I was looking around for a while searching for disk encryption and I happened upon this site and your post regarding Episode #1: Crypting a full Windows computer with TrueCrypt, I will definitely this to my disk encryption bookmarks!
Hi there, I was looking around for a while searching for computer system security and I happened upon this site and your post regarding Episode #1: Crypting a full Windows computer with TrueCrypt, I will definitely this to my computer system security bookmarks!
Hello, I was looking around for a while searching for physical security and I happened upon this site and your post regarding Episode #1: Crypting a full Windows computer with TrueCrypt, I will definitely this to my physical security bookmarks!
Hi, I was looking around for a while searching for computer security papers and I happened upon this site and your post regarding Episode #1: Crypting a full Windows computer with TrueCrypt, I will definitely this to my computer security papers bookmarks!
With much respect. but where the hell is that “Episode” you’re writing about here? I see numerous links, but none of them yields a media download result option…
@fotoflo
I must agree that augmenting words using special characters is a great way to isolate yourself from a dictionary attack, but the emphasis these days is too much on password complexity rather than length.
You only need to make PART OF YOUR PASSWORD complex, and macbookair no matter how it is spelled is simply too short.
The latest GFX GPU’s have 128 shaders, or more, which can be used independently as threads. Using this technology, each computer is now 100 times (or more) powerful. Not to mention any prop hardware the CIA/NSA/FBI/Tax Department/Neighbor/Dog/Whatever has that is not in public domain (and they do have this hardware).
And in the future – computers will get more and more powerful, and decryption technology will improve.
Having current technology 128 threads/ processor reduces your password strength by the power of 7 (7^2=128) so, macbookair is now really only as strong as a three byte password. Put one hundred GFX/CPU’s together, this password can be hacked in seconds.
My recommendation:
(a) + (b)
“nACb))K02″+ “TheQuickBrownFoxJumpedOverTheLazyDog”
nACb))K02TheQuickBrownFoxJumpedOverTheLazyDog
123456789012345678901234567890123456789012345
This is 45 bytes long = unhackable.
Why is this unhackable?
(http://www.lastbit.com/pswcalc.asp)
Because of exponentiality. Each bit is a doubling up of the computing power required.
See:
http://en.wikipedia.org/wiki/Brute_force_attack
The Von Neumann-Landauer Limit states that 30 gigawatts is reqd for one year to brute force a 128 bit key.
A 256 bit key is probably more energy than in the Sun!
The first part of the password is the complex bit that can never be hacked via a dictionary attack.
The second part of the password is easily remembered and hackable via a dictionary attack, but is “safe” because the hacker must guess the whole string, not just the dictionary part.
Because (a) and (b) must be hacked together and cannot be hacked in isolation, you now have a very long, very memorable, password that is uncrackable. One too that can be stored in the safest place in the world – your mind!
So, when having a password, let me re-iterate… By all means do your fancy special characters, spaces, numbers, upper/lower case, non-dictionary/random bit, but also make it long. Having a simple long password with a small random component, is a billion times or more better than a short one – no matter how complex yours is!
Also don’t forgt the usual safeguards:
- Don’t use these long passwords online or on the cloud, or anywhere that people can “see” it.
- Turn your computer off when you’re not using it.
- Turn your network off when you’re not using it.
- Use full disk encryption on everything – hibernation/pagefiles are just as dangerous as having passwords written on paper sitting on your desk!
- Make your wireless network invisible with WPA2, or better yet go wired
- Don’t use complex passwords on easily hackable devices (ie on your $50 10mbit DLINK network hub from 2001)
- Have a hardware firewall
- Don’t tell anyone your password under any circumstances (not even your wife), as good as her intentions are, she may write it down!
- Make passwords very unique between usage (ie cloud passwords are 100% different from the most important disk-encryption passwords). Don’t even share the same Windows Logon password / disk encryption passwords.
Anything I’ve missed?
Many thanks to this guy…
http://www.infoworld.com/d/security-central/password-size-does-matter-531