Testing 1024 bit password on BTSync - Help me test if this will have any problems

painfreepc

Testing 1024 bit password on BTSync - Help me test if this will have any problems

many of you say the 32 bit passwords generated by btsync

can be brute forced - so please me test if using a 1024 bit password will have any problems

Why am i asking for help:

i can't find any documentation about using passwords not generated by btsync

or using a password larger than 32 bit.

use below as password for test:

tqKjvQOP72Ie18vfJB3QijilwCZV5sm6isgzlIynd24IpAnC7ix1DnO5VPjsiWYN6eAmYjeS3drQRFGL2ry9kPXTrAGLLtgY77KSBztTatv8rLjYUO6pEkYqtKbFpqrUhvsjsLNR6lIYzUv8FLjeKAvwtXFifdZYmpcfVKpnXQ9tEU3SQziCiBE7kJmplb1RVAzq7Nx5FPtYSfRaSepdWQl4Ql6JGg4RCbAcu3mAmmBfs3bmw9GGWYBTsWLbyY68mex2ZXDx4h6JgxJBITrUKLjw6TNfaQpspX1YFTtvD2KfqcYwExLd9WWkAHbcJOL3GG3gfs65IinHTYHzmBa5PTnbBDsZNlJJDEyJBpNFDVmwjbnkjHZI8rsPfyLiwvWhzKerl8gLdkU9i8kxJTtVguPyWXbEvvPRt34a4SZXlJRc2DcPpsD2rZjrWiXBRrXPqsWcuwBFwu3X1MEUMYl7va3Hh4qA9tXxmpIS9z1rzG1Qx4gvq41vhdNEJR6UAjUBewHzkuqsfJMlu71euuvRfzM5rzFAEQlH64WCGgxrxPnrFET1ORv9tbCGkiUIIpeTQ4VUpOS36KN7cNPAkEwBaEEUPgSGVT2RxVIVsKeeRwBRhfx2f8IHjVrw16eLZ6tIn1hmGeMPKRnUTv86VabQcM9cdkCvWEA4hz6PuNg3MkncNTzmikLUziTAWI4dkZWJvUYbed75yYMb4NAXRrWyiCg5mN3pv6YuwRljh5VfgVZQ51KUI9tGXptPGIUwRARtTdTuFGfAhqadkYndb4Ux7VULYRA9vJIqdOP7xUSS8WKv7TeRUPshuEsH2AZmSIkzPvyBIAJ3jPN2GVvUZVKAS8RwIeN5yQXCLR8tTVIh7lRXF8tJpLEeJFaRWHIxWMH593Rnf8j8XkKVuBqbZyOCl4FFHJ2zXKcFn7269pWP9WRWCX6IrWqZyxHmpfbDbec8VuAAPclQn848pUAh1OkMzAD22ta1fSLxPRINUkZWbcpfjDJGeSKDExUs8fROPrL8

http://www.azaleatech.com/strong_pass.html

gsrdgrdghd

said: many of you say the 32 bit password passwords generated by btsync can be brute forced

The ones that said that are idiots that don't know what they are talking about

Silvenga

@painfreepc said:
Testing 1024 bit password on BTSync - Help me test if this will have any problems

many of you say the 32 bit passwords generated by btsync

can be brute forced - so please me test if using a 1024 bit password will have any problems

use below as password for test:

`tqKjvQOP72Ie18vfJB3QijilwCZV5sm6isgzlIynd24IpAnC7ix1DnO5VPjsiWYN6eAmYjeS3drQ...

The pre-generated secret keys created by the Btsync client are SHA1 hashes - theoretically 160-bit strength - not 32-bit.

The "1024 bit password" that you created (if accepted by the client) will be hashed to a 160-bit string using SHA1. So the length used by the protocol will be the same as the pre-generated secret keys. This is a requirement of the BitTorrent network.

In reality, that string you gave has a bit strength of around 6000-bits (using the NIST's standard algorithm to calculate bit strength).

Conclusion, adding more characters to the secret keys will not improve security in the slightest. Brute forcing of you Btsync secret key will not occur in your or my life times.

dwild

@gsrdgrdghd said:
The ones that said that are idiots that don't know what they are talking about

I know nothing about BTsync and I highly doubt that by default it's insecure. However if it really use a 32 bits password, for sure it's insecure. A password that only contains 32 bits only have 2^32 possibilities, 4 294 967 296 password to try, it's nothing. In most hashing algorithm, your gpu can hash at least in thousand time a second, my GPU can do 300 millions SHA-256 per seconds.

I doubt however that BTsync actually use a 32 bits password and I thinks it's just an error of terms and he meant 256 bits (32 bytes), which is enough for your files (but why not going up to 2048 bits if you can?).

painfreepc

source is btsync site:

Security
BitTorrent Sync was designed with privacy and security in mind. The system uses SRP for mutual authentication and for generating session keys that ensure Perfect Forward Secrecy. All traffic between devices is encrypted with AES-128 in counter mode, using a unique session key. Modification requests are all verified using Ed25519 signatures and only systems with full access keys can generate valid modification requests.

Secret
The secret is a randomly generated 20-byte key. It is Base32-encoded in order to be readable by humans. BitTorrent Sync uses /dev/random (Mac, Linux) and the Crypto API (Windows) in order to produce a completely random string. This authentication approach is significantly stronger than a login/password combination used by other services. That's why using a secret generated by BitTorrent Sync is very safe and secure.

So am i to understand that using my own Ultra High generated password

means nothing?

Silvenga

@painfreepc said:
So am i to understand that using my own Ultra High generated password

means nothing?

Yes. Due to the nature of the Bittorrent protocol a very long string of characters is useless. The protocol requires that 160-bit (20-bytes) key be used. Your long string password would be truncate or hashed so that the key can be used in the protocol.

Just to make it clear. The secret key is not a password. It is the unique identification for your private data that is sent to hundreds of servers across the world. Anyone on the network (millions of devices) may connect to your computer at any time. The security lies in the low statistical chance of a person connecting to your private cloud within the millions of torrents in the Internet.

painfreepc

@Silvenga said:
Anyone on the network (millions of devices) may connect to your computer at any time. The security lies in the low statistical chance of a person connecting to your private cloud within the millions of torrents in the Internet.

you can DISABLE "relay" , "tracker" , "search_lan" and "web gui" you can connect direct to ip

{
  "device_name": "My Sync Device",
  "listening_port" : 0,                       // 0 - randomize port

/* storage_path dir contains auxilliary app files
   if no storage_path field: .sync dir created in the directory
   where binary is located.
   otherwise user-defined directory will be used
*/
  "storage_path" : "/home/user/.sync",

// uncomment next line if you want to set location of pid file
// "pid_file" : "/var/run/btsync/btsync.pid",

  "check_for_updates" : true,
  "use_upnp" : true,                              // use UPnP for port mapping

/* limits in kB/s
   0 - no limit
*/
  "download_limit" : 0,
  "upload_limit" : 0,

/* remove "listen" field to disable WebUI
   remove "login" and "password" fields to disable credentials check
*/
  "webui" :
  {
    "listen" : "0.0.0.0:8888",
    "login" : "admin",
    "password" : "password"
  }

/* !!! if you set shared folders in config file WebUI will be DISABLED !!!
   shared directories specified in config file
   override the folders previously added from WebUI.
*/
/*
  ,
  "shared_folders" :
  [
    {
//  use --generate-secret in command line to create new secret
      "secret" : "MY_SECRET_1",                   // * required field
      "dir" : "/home/user/bittorrent/sync_test", // * required field

//  use relay server when direct connection fails
      "use_relay_server" : true,
      "use_tracker" : true,
      "use_dht" : false,
      "search_lan" : true,
//  enable sync trash to store files deleted on remote devices
      "use_sync_trash" : true,
//  specify hosts to attempt connection without additional search
      "known_hosts" :
      [
        "192.168.1.2:44444"
      ]
    }
  ]
*/

// Advanced preferences can be added to config file.
// Info is available in BitTorrent Sync User Guide.

}

Silvenga

painfreepc said: you can DISABLE "relay" , "tracker" , "search_lan" and "web gui" you can connect direct to ip

I do not understand your point, but my original statement still stands. Because you are using the Bittorrent network anyone can still connect to you. You will just not connect to anyone else when the direct connection fails.

dedicados

i use this:

https://howsecureismypassword.net/

edit:

It would take a desktop PC about 52 seconds to crack your password

oh shit...

painfreepc

@ Silvenga

i found something on line, that shows what you are saying, how btsync converts

my long password to a 32 character base-32 coded string

no matter how long the password you enter, it will be converted to

SHA1 hash (base32) or SHA1 hash (hex)

non-random keys for BTSyn "Text to base32 SHA1 Converter"

http://www.debath.co.uk/MakeAKey.html

i also found this site "SHA-1 Cryptographic Hash Algorithm"

http://www.movable-type.co.uk/scripts/sha1.html

i thank you for your help..