Hi,
When creating a new container or partition, I know you should select a long password to increase the possible
combinations for a cracker to try, but what about your choice of Encryption Algorithm and Hash Algorithm?
I do not know what they do or what they are for. Does changing either or both to something other then the default make it harder to crack or make your data more secure?
I made a small test container and signing on was the same when choosing another choice from those 2 drop down fields.
Thanks!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
These are interesting and recuring questions. Here are some elements you might consider to increase secuiry beside password length and complexity:
PIM (Personal Iterations Multiplier): When creating a new VeraCrypt container or partition, there is an option called 'PIM'. By default, for non-system volumes, this value is set to 485. PIM determines how many iterations of the hash algorithm are applied to the password. The higher the PIM value, the more iterations, and hence the more time-consuming (and resource-consuming) it becomes for an attacker to try a brute-force attack. You can consider selecting a custom PIM value different from the default to make the attacker's life harder. However, remember that choosing a higher PIM will also increase the time it takes for you to mount the container, as the iterations have to be computed every time you provide the password. PIM choice has no impact on volume usage performance once it is mounted.
Encryption Algorithm: The default choice for the encryption algorithm in VeraCrypt is AES. If you want to increase the complexity and don't mind a potential reduction in I/O speed, you can opt for a cascade of algorithms, like AES-Twofish-Serpent. This way, the data will undergo encryption using multiple algorithms sequentially, adding multiple layers of encryption. By doing so, even if one encryption algorithm is found to be vulnerable in the future (which is highly unlikely for well-established algorithms), your data will still be protected by the other algorithms in the cascade.
Hash Algorithm: The hash algorithm is used in combination with the password and PIM to derive the encryption key. When considering brute-force protection, a slower hash algorithm is advantageous. In this context, you might want to choose either Whirlpool or Streebog. These hash algorithms, especially when combined with a high PIM value, make brute-force attacks extremely time-consuming and resource-intensive. As a side effect, it will make the initial mounting of your container slightly slower, but once the container is mounted, there's no impact on the performance of accessing the encrypted data.
To help you evaluate and find the best trade-off between security and performance, VeraCrypt provides a built-in benchmark utility. You can access it from the menu via Tools -> Benchmark. This utility allows you to measure the speed of different encryption algorithms, their cascades, and hash algorithms. By assessing the results, you can select the combination that aligns best with your requirements.
👍
1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
So basically, you explained everything great. I don't understand or need to understand a lot of it.
If you choose Twofish-Serpent and Whirlpool or Streebog, and your computer will handle it, your data will be more safe and hard to crack (then with the defaults), AND there is nothing extra to do on the user side once you set up your partition. Once you set it up you choose your partition, mount letter, and enter your password.
My password is 20 characters long. Is that enough? I seen the TV shows and movies. I am safe from cameras watching my logon. Looking for wear and tear on my keyboard wont give enough clues either.
My only thought is are key loggers an issue from operating systems or 3rd parties? Do anti-keyloggers work? Are they necessary and can they be trusted?
I have nothing of great importance to hide, but I do like my privacy and in a connected world best practices are necessary, especially for financial stuff.
Thanks for replying above!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm glad to hear the previous information was helpful to you.
Concerning the encryption and hash algorithms selections, your undestanding is correct and VeraCrypt the process seemlessly.
Concerning the password length, a 20-character password is already significantly stronger than what most people use. If it's a combination of upper and lowercase letters, numbers, and special characters, then you're in an excellent position. Always avoid using easily guessable phrases or words.
As for keyloggers, they are indeed a concern. They can capture every keystroke you make, including passwords. They can come in two main forms:
Software Keyloggers: Malicious software installed on your machine.
Hardware Keyloggers: Physical devices connected to your machine.
For software keyloggers, some anti-keylogger software can be effective against certain keylogging methods. However, no solution is 100% effective, and introducing more software sometimes can introduce new vulnerabilities. It's more about a layered approach: use up-to-date antivirus and antimalware software, keep your operating system patched, and be cautious of what software you install and where you download it from.
For hardware keyloggers, regular physical checks of your computer and its connections can be beneficial. They're often attached between the keyboard and the computer.
Note: VeraCrypt has a feature called 'Secure Desktop' which provides additional protection against certain software keyloggers. When you enter your password within the Secure Desktop, it's isolated from other running processes, making it more difficult to capture your keystrokes. I would recommend enabling this feature when entering your password in VeraCrypt to enhance your security. You can access this feature by clicking on the "Use Secure Desktop for password entry" checkbox in VeraCrypt Pereferences.
Always remember, no security measure is absolute. But by layering your precautions, you're doing an excellent job of protecting your data.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thank you Mounir IDRASSI. You pretty much confirmed what I suspected. I do keep my Windows and trusted software up to date, I am leery of cloud based antimalware software though. I just can't imagine all of the files I access, or even are just on my computer going through someone else's server whether for legitimate, target marketing, or just spying on me. I use a firewall that allows me to ok or not when a program tries to access the internet. Unless it is a known trusted program like Thunderbird, I usually say no. If I want to update my photo viewer, I can do it manually.
Even so, I usually rebuild my OS about twice a year to make sure nothing slipped in. I try not to be paranoid, but these computers now hold our banking info, photos, documents and correspondence, and social media. I just want to establish some best practices and habits.
I will look into the secure Desktop. Sounds like it might be a took that helps protect my logon.
Thanks again for your reply.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
When creating a new container or partition, I know you should select a long password to increase the possible
combinations for a cracker to try, but what about your choice of Encryption Algorithm and Hash Algorithm?
I do not know what they do or what they are for. Does changing either or both to something other then the default make it harder to crack or make your data more secure?
I made a small test container and signing on was the same when choosing another choice from those 2 drop down fields.
Thanks!
These are interesting and recuring questions. Here are some elements you might consider to increase secuiry beside password length and complexity:
PIM (Personal Iterations Multiplier): When creating a new VeraCrypt container or partition, there is an option called 'PIM'. By default, for non-system volumes, this value is set to 485. PIM determines how many iterations of the hash algorithm are applied to the password. The higher the PIM value, the more iterations, and hence the more time-consuming (and resource-consuming) it becomes for an attacker to try a brute-force attack. You can consider selecting a custom PIM value different from the default to make the attacker's life harder. However, remember that choosing a higher PIM will also increase the time it takes for you to mount the container, as the iterations have to be computed every time you provide the password. PIM choice has no impact on volume usage performance once it is mounted.
Encryption Algorithm: The default choice for the encryption algorithm in VeraCrypt is AES. If you want to increase the complexity and don't mind a potential reduction in I/O speed, you can opt for a cascade of algorithms, like AES-Twofish-Serpent. This way, the data will undergo encryption using multiple algorithms sequentially, adding multiple layers of encryption. By doing so, even if one encryption algorithm is found to be vulnerable in the future (which is highly unlikely for well-established algorithms), your data will still be protected by the other algorithms in the cascade.
Hash Algorithm: The hash algorithm is used in combination with the password and PIM to derive the encryption key. When considering brute-force protection, a slower hash algorithm is advantageous. In this context, you might want to choose either Whirlpool or Streebog. These hash algorithms, especially when combined with a high PIM value, make brute-force attacks extremely time-consuming and resource-intensive. As a side effect, it will make the initial mounting of your container slightly slower, but once the container is mounted, there's no impact on the performance of accessing the encrypted data.
To help you evaluate and find the best trade-off between security and performance, VeraCrypt provides a built-in benchmark utility. You can access it from the menu via
Tools -> Benchmark. This utility allows you to measure the speed of different encryption algorithms, their cascades, and hash algorithms. By assessing the results, you can select the combination that aligns best with your requirements.So basically, you explained everything great. I don't understand or need to understand a lot of it.
If you choose Twofish-Serpent and Whirlpool or Streebog, and your computer will handle it, your data will be more safe and hard to crack (then with the defaults), AND there is nothing extra to do on the user side once you set up your partition. Once you set it up you choose your partition, mount letter, and enter your password.
My password is 20 characters long. Is that enough? I seen the TV shows and movies. I am safe from cameras watching my logon. Looking for wear and tear on my keyboard wont give enough clues either.
My only thought is are key loggers an issue from operating systems or 3rd parties? Do anti-keyloggers work? Are they necessary and can they be trusted?
I have nothing of great importance to hide, but I do like my privacy and in a connected world best practices are necessary, especially for financial stuff.
Thanks for replying above!
I'm glad to hear the previous information was helpful to you.
Concerning the encryption and hash algorithms selections, your undestanding is correct and VeraCrypt the process seemlessly.
Concerning the password length, a 20-character password is already significantly stronger than what most people use. If it's a combination of upper and lowercase letters, numbers, and special characters, then you're in an excellent position. Always avoid using easily guessable phrases or words.
As for keyloggers, they are indeed a concern. They can capture every keystroke you make, including passwords. They can come in two main forms:
For software keyloggers, some anti-keylogger software can be effective against certain keylogging methods. However, no solution is 100% effective, and introducing more software sometimes can introduce new vulnerabilities. It's more about a layered approach: use up-to-date antivirus and antimalware software, keep your operating system patched, and be cautious of what software you install and where you download it from.
For hardware keyloggers, regular physical checks of your computer and its connections can be beneficial. They're often attached between the keyboard and the computer.
Note: VeraCrypt has a feature called 'Secure Desktop' which provides additional protection against certain software keyloggers. When you enter your password within the Secure Desktop, it's isolated from other running processes, making it more difficult to capture your keystrokes. I would recommend enabling this feature when entering your password in VeraCrypt to enhance your security. You can access this feature by clicking on the "Use Secure Desktop for password entry" checkbox in VeraCrypt Pereferences.
Always remember, no security measure is absolute. But by layering your precautions, you're doing an excellent job of protecting your data.
Thank you Mounir IDRASSI. You pretty much confirmed what I suspected. I do keep my Windows and trusted software up to date, I am leery of cloud based antimalware software though. I just can't imagine all of the files I access, or even are just on my computer going through someone else's server whether for legitimate, target marketing, or just spying on me. I use a firewall that allows me to ok or not when a program tries to access the internet. Unless it is a known trusted program like Thunderbird, I usually say no. If I want to update my photo viewer, I can do it manually.
Even so, I usually rebuild my OS about twice a year to make sure nothing slipped in. I try not to be paranoid, but these computers now hold our banking info, photos, documents and correspondence, and social media. I just want to establish some best practices and habits.
I will look into the secure Desktop. Sounds like it might be a took that helps protect my logon.
Thanks again for your reply.