Jeremiah Grossman on ‘Password Cracking AES-256 DMGs and Epic Self-Pwnage’

 CTO of WhiteHat Security on forgetting THE PASSWORD (encryption key) to a AES-256 encrypted DMG image after a recent password change.

“Without this one password I was cryptographically locked out of thousands and gigabytes worth of files I care about. Highly sensitive and valuable files that include work documents, personal projects, photos, code snippets, notes, family stuff, etc.”

With the help of some of the best password crackers on the planet Grossman was able to crack his own password by guessing its composition and reducing the key space (the list of all possible keys) to one that could be undertaken in a few minutes.

Reflecting on his experience:

“I’ve come to appreciate why password storage is ever so much more important than password complexity. If you don’t know how your password is stored, then all you really can depend upon is complexity.” 

Having been through a similar experience though without the help of a crack team of password crackers, I can say that password management relies on a unreliable resource sitting behind the keyboard – your memory which needs all the help it can get to protect it from itself.