1

In a talk about a lost or stolen laptop, it is said that:

even with hard drive encryption, eventually they can crack these secrets

But strong encryption is practically impossible to break. For example, it would take 6 billion years at 100,000 attempts per second to brute force the password of a MacBook using XTS-AES 128 encryption, presuming the user has set a 12-character random password.

So an encrypted hard disk could be cracked only if:

  1. the user has a weak enough password to brute force, or
  2. the encryption uses a weak algorithm
  3. the attacker is willing to wait billions of years

Presuming the last is infeasible, is it possible to crack an encrypted hard disk assuming the encryption algorithm is strong and the user has set a 60-character random password?

stevec
  • 1,214
  • 1
  • 7
  • 16
  • 4. Or it's Bitlocker and it didn't actually encrypt anything. 12-character is not that long, it's doable; in many cases dictionaries will work just fine extremely fast. – Overmind Jan 22 '21 at 10:56
  • @Overmind I don't think dictionaries would help because a random 12-character password has around 60^12 = 2 sextillion possibilities. So even if someone could make 1 billion attempts per second, it would still take them around 2 trillion seconds, which is about 2000000000000/(60*60*24*365) = 63 thousand years. – stevec Jan 22 '21 at 11:05
  • 1. I don't think that math is good. A billion per second is obsolete. You can easy get into 10^13 range as home user. You're already into a few years range as simple user. 2. There are dictionaries based on pseudo-randoms so you'd better have a real RNG. – Overmind Jan 22 '21 at 13:44
  • @Overmind I chose 12 characters simply because it was the number used in the linked to question. But let's presume 60 random characters so the issue of brute forcing a password is no longer part of the debate. I will update the question. – stevec Jan 22 '21 at 13:51
  • @Overmind with a random password of 60 characters, there are around 60 ^ 60 = 4.887368e+106 possible combinations - more than the number of atoms in the universe. At that password length (provided, as you point out, that the password is truely random), brute force would not possible even in trillions of years. – stevec Jan 22 '21 at 13:54
  • 1
    12 is one case, 60 is simply a whole different scenario. In that case, things of course chage. – Overmind Jan 25 '21 at 11:39

1 Answers1

1

To put it bluntly, no. If the encryption software is solid and the password is xmc'jg.6EE/l\Z>tX;8mXb0#0k+RgW!1'N)q)}OE1FO(3!JbyUq^\HUR1&#o, then there is absolutely no chance to crack the password. Even if you waited billions of years, there isn't enough energy in the universe to do so.

So why did the guy say that eventually it will be cracked anyways? What does he know that we don't?

The problem is, most people don't set a secure, random password. You see, a lot of people tend to think that they don't need security - until they need security. They pick easy-to-remember passwords like Spring2021, Julia1994, etc. because they think nobody will ever try to crack their password anyways. So if your password is easily guessable or follows "a totally secure scheme nobody would ever guess", then your chance of being cracked will increase.

Furthermore, it also depends on who stole your laptop. A lot of people who steal a laptop simply want to sell it for some cash. They don't care what's on your laptop, and most likely, even if it was without any encryption, they wouldn't dedicate the time to finding out ways to monetize your company secrets. To them, stealing a laptop is a quick way to make cash. The people who buy a stolen laptop also couldn't care less what the previous owner had on there. It's just an extremely cheap laptop to them.

On the other hand, if your laptop was stolen by a dedicated attacker who knows who you work for, what you work on and how to make use of that knowledge, well, let's hope your password isn't Spring2021.

  • 1
    Great answer. When I heard 'eventually they can crack these secrets' I figured there must have been something vital missing in my understanding of how encryption is implemented on a laptop's hard disk. But, if I understand correctly, it turns out the speaker was simply a little imprecise with his language, and that was probably because most of the time people don't actually use long, truely random passwords, and that is the critical vulnerability that allows him to make the statement. – stevec Jan 22 '21 at 14:19