Brute Force Attacks

rkopp01

Hi there,

I was wondering if the local Boxcryptor logon process can be protected from Brute Force software attacks, when having access to the local PC.

Thanks

Rainer

Gustav

Hi Rainer,

the local Boxcryptor logon process cannot be protected from Brute Forcing. For more protection of your pc, you can use a software to encrypt your OS like Bitlocker.

Greetings
Gustav

Robert

Hi Rainer,

We have two different protections for "brute forcing":

1) Our servers accept at maximum 10 wrong credentials per minute in the logon process. If an attacker tried more than 10 wrong credentials within a minute, he has to wait until the next minute.

2) If somebody would somehow have gained access to your encrypted keys, he needs the password key to decrypt and use them. The password key is not directly your password, but rather a derivation from it. We're using a function called PBKDF2 (http://en.wikipedia.org/wiki/PBKDF2) with HMAC-SHA512 and 10.000 iterations to derive the password key from your password. This slows down brute force attacks from millions of different passwords to only a few thousands (depending on the attacker's hardware). This makes brute force attacks unusable because brute forcing an average password would take MANY years.

Best regards,
Robert