A weak cryptoloop implementation in Linux?

A weak cryptoloop implementation in Linux?

This is a quite strange claim. First, as is pointed out here, at worst it's a bug, not a back-door. A back-door is something deliberate.<p>

Secondly, this does nothing at all for the attacker who wants to crack a single encrypted filesystem. It <b>is</b> true that because of the lack of salt, an attacker who wants to crack a large number of encrypted filesystems has an advantage as he can calculate the encrypted version of the "likely" passwords only once instead of once for each filesystem as would be required with a salt.<p>

However, this ain't *that* horrible a vulnerability. First, it only helps by a factor of how many encrypted filesystems (of the same type) you want to crack. Secondly, it only helps for those passwords that are simple enough that they'll appear in a list of "likely" passwords. With current storage it's not reasonable to create dictionaries much larger than a terabyte. So, loosely, if your password is not among the most common billion passwords, you're in the clear. Choosing a good password is required for security anyways.<p>

All this means is, if you need real security, choose a password with more than 40 bits of real entropy in it, or a dictionary like this could be constructed and help crack it. Dictionaries with much more than 2^40 entries are unlikely to be practical at the moment. <p>

Offcourse 2^40 possible keys kan reasonably be brute-forced even without a dictionary as a one-off crack. So to guard against this you'd want a better password than this anyway.<p>

It's true that the set of passwords that can a) Be reasonably memorized and b) cannot reasonably be brute-forced is rapidly approaching zero. But that's a fundamental problem and has nothing in particular to do with the crypto-loop implementation.