Best use practice for passwords?

Discussion related to AES Crypt, the file encryption software for Windows, Linux, Mac, and Java.
Post Reply
Nezz
Posts: 4
Joined: Sat Sep 26, 2015 11:56 am

Best use practice for passwords?

Post by Nezz »

Hi there, first post.

I've successfully used AES Crypt in Ubuntu for encryption/decryption of files. I'm guessing that one of the first things AES Crypt does during encryption is to hash my password, but I'm wondering if it would help my files be nice and secure if I hash my password manually first? This would allow me to use a nice, short and simple password when encrypting a file.

So if my password is "fred" I could use:

Nezz@PC:~$ echo -n "fred"|sha256sum
d0cfc2e5319b82cdc71a33873e826c93d7ee11363f8ac91c4fa3a2cfcd2286e5 -

Then use d0cfc2e5319b82cdc71a33873e826c93d7ee11363f8ac91c4fa3a2cfcd2286e5 as my password for AES Crypt to encrypt my file.

Is this good practice and would it matter if I used MD5 or SHA to generate a string from a short password? If it's being hashed again during the encryption process all I am interested in doing is generating a nice long(ish) string from a simple, easy to remember, password.

Is my method correct or is there a better, simple alternative?
Last edited by Nezz on Sat Oct 10, 2015 1:23 pm, edited 1 time in total.
User avatar
paulej
Posts: 595
Joined: Sun Aug 23, 2009 7:32 pm
Location: Research Triangle Park, NC, USA
Contact:

Re: Best use practise for passwords?

Post by paulej »

I do that sort of thing with my passwords, actually. It's not a bad practice, but it's important to keep two things in mind.

First, a hashed password is only as strong as the password you provide. When you give AES Crypt a password, the first thing it does is hash it like this 8192 times. Thus, your hashing it is just one more hash. That's not security, but obfuscation. Still, it makes it harder to brute force attack if the attacker doesn't know the process. In short, do focus on password strength. 6 random words as a passphrase is far stronger than hashing one word.

The second thing to consider is not using the same password. This is why I hash my passwords. I tend to use the same one, but hash it with different keys. Specifically, I use http://singlepass.packetizer.com. I use a strong password only in my head along with random data (that I write in a file) and hash it as I do in that program. I end up with a relatively strong password.

For AES Crypt, I use a combination of passwords like that and key files. The Linux version allows one to create key files, that are just big random passwords. Having a key file hashed with a password would be even better. Maybe I'll add that to the list.
Nezz
Posts: 4
Joined: Sat Sep 26, 2015 11:56 am

Re: Best use practise for passwords?

Post by Nezz »

Thanks for the link to singlepass. That's a neat little utility and I guess it works like salting.

I mainly asked the original question because of a file I need to keep encrypted on USB stick, which I'm encrypting using a short, gibberish password that is hashed. It is short to prevent me from forgetting it and hashing it gives greater protection against someone brute-forcing the .aes file by trying out an alpha-numeric sequence.

I will definitely start using singlepass with multiple aes files. A separate .txt file with a list of Service Names next to each encrypted file name should increase security.
User avatar
paulej
Posts: 595
Joined: Sun Aug 23, 2009 7:32 pm
Location: Research Triangle Park, NC, USA
Contact:

Re: Best use practise for passwords?

Post by paulej »

A short, simple password that's hashed cab be guessed. If your password was a single word out of the dictionary, that could be cracked in second, or less. If you hash that same word, it's still easy to guess. In fact, hacked usually have tables of hashed values. They don't even have to work hard at it. Google "rainbow tables".
Nezz
Posts: 4
Joined: Sat Sep 26, 2015 11:56 am

Re: Best use practise for passwords?

Post by Nezz »

Yep. I looked at rainbow tables and also a site that reverse-guesses a hashed word for you. If I use gibberish for my password (a car registration plate, for example) then it is much harder to reverse engineer.

Also, so long as the potential attacker has no idea that I would hash a password before using it with AES crypt then he's hopefully gonna get bored trying to brute force the file on my USB key before he even thinks about starting to reverse gibberish hashes. He would just think I have used a long passphrase after trying to brute force it for ages. That's my prediction.
User avatar
paulej
Posts: 595
Joined: Sun Aug 23, 2009 7:32 pm
Location: Research Triangle Park, NC, USA
Contact:

Re: Best use practise for passwords?

Post by paulej »

Yeah, they might get bored, but might now that this is all in the open, an attacker trying to brute force an attack might throw hashing into the mix. It's not that hard to automate the attack with a given password, the hash of the word, or whatever.

What's most important, always, is selecting a strong password. I've said it before, but I think my approach is worth repeating. I have a very complex password stored only in my head. Then for each site I visit or file I encrypt, I create a string of random characters using the pwgen utility I wrote. I write down that value, because it's impossible to remember. I then use Single Pass with that and my memorized password. Thus, each password is unique and not guessable at all. It would truly require trying every possible combination of letters and numbers.

Single Pass yields about 96 bits of entropy, which is good enough for passwords. For encrypted data files, you might want more. (And I do. I create keys with about 384 bits of entropy.)
Nezz
Posts: 4
Joined: Sat Sep 26, 2015 11:56 am

Re: Best use practise for passwords?

Post by Nezz »

Yep. I started learning a little bit about entropy a few months ago. It's interesting stuff, even though I never got on well with statistics and probability at school :D

Thanks for the great advice re: singlepass. I'm going to use it for my next file backup :)
Post Reply