[dm-crypt] Forgot dm-crypt password; suggestions on steps to undertake

Arno Wagner arno at wagner.name
Sat Nov 9 23:51:26 CET 2013


On Sat, Nov 09, 2013 at 22:48:25 CET, John Thoe wrote:
> 
> 
> 
> Hi
> 
> I forgot the passphrase of my laptop which was encrypted using dm-crypt
> (without LUKS).  I use Debian so just used the default settings that were
> suggested.
> 
> I understand that passwords cannot be recovered but please hear me out. In
> my case, I am sure that I am forgetting the last four digits I set because
> the rest of the password is clear in my memory.
> 
> A couple of questions I could really use help with:
> 
> 1. Is it possible to brute force the disk since even though my password is
> fairly long, I am sure about all of it except the last 4-6 digits.

It actually does not matter at all how long your password is
(unless it goes into the kB range), just how many characters
are unknown.

If you are missing 6 characters, with a standard alphabeth of, say,
2x26 chars + 10 digits and 20 special symbols, that would take
about 300'000'000 tries. As this is plain dm-crypt, a try does
not take about 1 second but signigicantly less (no iterated 
hashing). No idea how fast this really is, but if programmed right,
it may be doable in a few days of trying. Of course, you also have 
to recognize when you have the right password, which depends on
what is in there. "blkid" may help to recognize a filesystem,
but again I have no idea how fast it is.

Anyway, this is a case for using libcryptsetup directly and it
will require some real programming work.

> 2. If (1) is not possible, is there any way I can make it easy to type in
> passwords?  Right now, initramfs does not show me the password I am
> typing.  Is there anyway I can have feedback from it so that I know that I
> am at least typing in stuff correctly?  Or even better, is there any way I
> load a text file with a list of the probable passwords?

You need to do that yourself or find a distribution that does
it for you. Initramfs usage is out of scope of the cryptsetup
tool. A list of "probable passwords" would be exceedingly insecure.
And while researchers have been tryong for a couple of decades,
there still is no easy way to input passwords and remain secure,
and there probably will never be one.

Arno

-- 
Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
----
There are two ways of constructing a software design: One way is to make it
so simple that there are obviously no deficiencies, and the other way is to
make it so complicated that there are no obvious deficiencies. The first
method is far more difficult.  --Tony Hoare


More information about the dm-crypt mailing list