All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Testing 1024 bit password on BTSync - Help me test if this will have any problems
Testing 1024 bit password on BTSync - Help me test if this will have any problems
many of you say the 32 bit passwords generated by btsync
can be brute forced - so please me test if using a 1024 bit password will have any problems
Why am i asking for help:
i can't find any documentation about using passwords not generated by btsync
or using a password larger than 32 bit.
use below as password for test:
tqKjvQOP72Ie18vfJB3QijilwCZV5sm6isgzlIynd24IpAnC7ix1DnO5VPjsiWYN6eAmYjeS3drQRFGL2ry9kPXTrAGLLtgY77KSBztTatv8rLjYUO6pEkYqtKbFpqrUhvsjsLNR6lIYzUv8FLjeKAvwtXFifdZYmpcfVKpnXQ9tEU3SQziCiBE7kJmplb1RVAzq7Nx5FPtYSfRaSepdWQl4Ql6JGg4RCbAcu3mAmmBfs3bmw9GGWYBTsWLbyY68mex2ZXDx4h6JgxJBITrUKLjw6TNfaQpspX1YFTtvD2KfqcYwExLd9WWkAHbcJOL3GG3gfs65IinHTYHzmBa5PTnbBDsZNlJJDEyJBpNFDVmwjbnkjHZI8rsPfyLiwvWhzKerl8gLdkU9i8kxJTtVguPyWXbEvvPRt34a4SZXlJRc2DcPpsD2rZjrWiXBRrXPqsWcuwBFwu3X1MEUMYl7va3Hh4qA9tXxmpIS9z1rzG1Qx4gvq41vhdNEJR6UAjUBewHzkuqsfJMlu71euuvRfzM5rzFAEQlH64WCGgxrxPnrFET1ORv9tbCGkiUIIpeTQ4VUpOS36KN7cNPAkEwBaEEUPgSGVT2RxVIVsKeeRwBRhfx2f8IHjVrw16eLZ6tIn1hmGeMPKRnUTv86VabQcM9cdkCvWEA4hz6PuNg3MkncNTzmikLUziTAWI4dkZWJvUYbed75yYMb4NAXRrWyiCg5mN3pv6YuwRljh5VfgVZQ51KUI9tGXptPGIUwRARtTdTuFGfAhqadkYndb4Ux7VULYRA9vJIqdOP7xUSS8WKv7TeRUPshuEsH2AZmSIkzPvyBIAJ3jPN2GVvUZVKAS8RwIeN5yQXCLR8tTVIh7lRXF8tJpLEeJFaRWHIxWMH593Rnf8j8XkKVuBqbZyOCl4FFHJ2zXKcFn7269pWP9WRWCX6IrWqZyxHmpfbDbec8VuAAPclQn848pUAh1OkMzAD22ta1fSLxPRINUkZWbcpfjDJGeSKDExUs8fROPrL8
Comments
The ones that said that are idiots that don't know what they are talking about
The pre-generated secret keys created by the Btsync client are SHA1 hashes - theoretically 160-bit strength - not 32-bit.
The "1024 bit password" that you created (if accepted by the client) will be hashed to a 160-bit string using SHA1. So the length used by the protocol will be the same as the pre-generated secret keys. This is a requirement of the BitTorrent network.
In reality, that string you gave has a bit strength of around 6000-bits (using the NIST's standard algorithm to calculate bit strength).
Conclusion, adding more characters to the secret keys will not improve security in the slightest. Brute forcing of you Btsync secret key will not occur in your or my life times.
I know nothing about BTsync and I highly doubt that by default it's insecure. However if it really use a 32 bits password, for sure it's insecure. A password that only contains 32 bits only have 2^32 possibilities, 4 294 967 296 password to try, it's nothing. In most hashing algorithm, your gpu can hash at least in thousand time a second, my GPU can do 300 millions SHA-256 per seconds.
I doubt however that BTsync actually use a 32 bits password and I thinks it's just an error of terms and he meant 256 bits (32 bytes), which is enough for your files (but why not going up to 2048 bits if you can?).
source is btsync site:
Security
BitTorrent Sync was designed with privacy and security in mind. The system uses SRP for mutual authentication and for generating session keys that ensure Perfect Forward Secrecy. All traffic between devices is encrypted with AES-128 in counter mode, using a unique session key. Modification requests are all verified using Ed25519 signatures and only systems with full access keys can generate valid modification requests.
Secret
The secret is a randomly generated 20-byte key. It is Base32-encoded in order to be readable by humans. BitTorrent Sync uses /dev/random (Mac, Linux) and the Crypto API (Windows) in order to produce a completely random string. This authentication approach is significantly stronger than a login/password combination used by other services. That's why using a secret generated by BitTorrent Sync is very safe and secure.
So am i to understand that using my own Ultra High generated password
means nothing?
Yes. Due to the nature of the Bittorrent protocol a very long string of characters is useless. The protocol requires that 160-bit (20-bytes) key be used. Your long string password would be truncate or hashed so that the key can be used in the protocol.
Just to make it clear. The secret key is not a password. It is the unique identification for your private data that is sent to hundreds of servers across the world. Anyone on the network (millions of devices) may connect to your computer at any time. The security lies in the low statistical chance of a person connecting to your private cloud within the millions of torrents in the Internet.
you can DISABLE "relay" , "tracker" , "search_lan" and "web gui" you can connect direct to ip
I do not understand your point, but my original statement still stands. Because you are using the Bittorrent network anyone can still connect to you. You will just not connect to anyone else when the direct connection fails.
i use this:
https://howsecureismypassword.net/
edit:
It would take a desktop PC about 52 seconds to crack your password
oh shit...
@ Silvenga
i found something on line, that shows what you are saying, how btsync converts
my long password to a 32 character base-32 coded string
no matter how long the password you enter, it will be converted to
SHA1 hash (base32) or SHA1 hash (hex)
non-random keys for BTSyn "Text to base32 SHA1 Converter"
http://www.debath.co.uk/MakeAKey.html
i also found this site "SHA-1 Cryptographic Hash Algorithm"
http://www.movable-type.co.uk/scripts/sha1.html
i thank you for your help..