Technical Insight-Web Application Security

Password Cracking AES-256 DMGs and Epic Self-Pwnage

jeremiahTwo weeks ago I was in the midst of a nightmare. I’d forgotten a password. Not just any password. THE password. Without this one password I was cryptographically locked out of thousands and gigabytes worth of files I care about. Highly sensitive and valuable files that include work documents, personal projects, photos, code snippets, notes, family stuff, etc. The password in question unlocks these files from the protection of locally stored AES-256 encrypted disk image. A location where an “email me a password reset link” is not an option. File backups? Of course! Encrypted the same way with the same password. Password paper backup? Nope. I’ll get to that. I somehow needed to “crack” this password. If not, the amount of epic self-pwnage would be too horrible to imagine.

Before sharing how I got myself into this predicament, it’s necessary to reveal some details about my personal computer security habits. More specifics than I’m normally comfortable sharing.

badgewall2As my badge wall shows, I travel a lot, all around the world, and often with the same laptop. A MacBook Pro. My computer becoming lost, stolen, or imaged by border guards and other law enforcement officers is a constant concern. To protect against these potential physical attacks, OS X dutifully offers FileVault.

FileVault is a full disk encryption feature utilizing XTS-AES 128 crypto. Enabling FileVault means that even if someone has physical possession of my computer, or obtains a full copy of the hard drive, they’d be the proud new owner of a cutting-edge machine, but unable to get any useful data off of it. That is unless my admin password, which unlocks FileVault, is ridiculously simple, and it isn’t. By all practical means, “cracking” this password is impossible.

What is possible is law enforcement, or a robber, forcibly stopping me and “asking” for my admin password, a method capable of defeating FileVault’s full disk encryption. Realistically, while my brazilian jiu-jitsu black belt certainly helps in many situations, it can be utterly useless in other real-world encounters. I’ll of course resist giving up my admin password to the extent I’m able, but must assume I may have to “comply” at some point. If this should happen, ideally my data, other than email, should remain safe even after the adversary lands on my desktop.

Setting up this type of layered security fall-back plan is where we return to the conversation of encrypted disk images. On OS X, Disk Utility can be used to create encrypted disk images called DMGs. DMGs are self-contained portable files, of customizable size, that when mounted (i.e. double-clicked) display on the desktop like any other disk drive where files can be stored.

Upon creation of DMGs the level of encryption strength can be set, the highest being AES-256. If FileVault’s AES-128 crypto is already “impossible” to crack, AES-256 DMGs are exponentially more impossible. To ensure this, all you have to do is set a reasonable password. We’re talking even 6 characters or longer, some upper and lower case, and maybe toss in a digit and special character. DON’T SAVE THE PASSWORD IN YOUR KEYCHAIN. Doing so defeats the entire purpose of what we’re trying to accomplish, because the admin password unlocks the keychain.

A great thing about DMGs is that they can be stored anywhere. Hidden in some obscure directory on the local machine, a network storage device, a USB drive, whatever. All my confidential files are typically stored this way, in a series of encrypted DMGs with separate passwords. Also very important, DMGs containing sensitives files are only mounted on an as-needed basis. This is for two reasons:

  1. If I must hand over my admin password, the person now on the desktop should still have a difficult time learning these disk images exist and a password is required to open them. As they begin to snoop around, image the drive, run forensics, etc., they should feel they have the keys to the kingdom. If they do manage to find the DMGs, hopefully by then I’m on my way and seeking legal help.
  2. Should my computer get “hacked,” a remote attacker will find it extremely difficult to transfer out many many gigabytes worth of data as a single DMG file before being noticed, the computer loses its connection to the Internet, or the image is unmounted.



What’s also cool is a DMG can be used to store additional account passwords, flat file style. Passwords, which can be made super strong and don’t have to be committed to memory. Simply copy-paste as necessary. This FileValue / DMG setup makes it very convenient to only have to remember a small hand full of passwords, including the admin password, to access everything important and without sacrificing security. Well, convenient up until the point where you forget a DMG password. In my case, caused by my scheduled ritual of “change all my passwords.” Ugh!

I wake up once upon a recent morning and begin my daily routine. Check calendar. Check email. Checks RSS. Check Twitter. Start working, start reading. As is common, I mount a DMG and am greeted by the familiar password dialog.  First password attempt, fail. Second attempt, fail. Third attempt, fail. Warning dialog appears. That’s weird, I thought. Normally I’m a proficient touch typist. Am I’m fat-fingering the password? Three strikes and I’m out again.

Annoyed, but not concerned. Check the caps lock key. Nope. Try the password again. Fail, fail, fail. Fail, fail, fail. Rinse, repeat several more times. WTF! Am I at least trying to type the correct password for the DMG? I believe so. Let me try a few “shouldn’t work passwords” just in case Morning Brain is causing problems. A few dozen password fails later, annoyance begins constricting into panic. It’s OK, consoling myself, I’ll come back to this in a little while. It’ll be fine. I have some non-DMG-required work to complete anyway.

An hour later, I repeated the same password attempt cycle. No dice. The password fails mounting up are now in the hundreds. I start to mouth some obscenities and my keyboard is really not liking the pounding. My wife is beginning to eyeball me with concern. I’m running out of ideas of what that problem could be. That’s about when I recalled recently changing all my passwords. A few moment laters, that’s when it hit me, like really hit me. For whatever reason, I’d forgotten what I changed the password to. *Gulp*. Oh, no!



Think positive, think optimistic. Keep calm. Carry on. It’ll come to me. I’ve never forgotten these passwords before. I even remember most of it. At least, I think I do.

I’m periodically trying different passwords throughout the day, throughout out the evening. One day turns into two, two into three. All like the first. Only now I’m losing sleep. I’m waking up in the middle of the night and have to try a few more passwords just so I can get back to sleep. For those who don’t know, dreaming of password combinations sucks. What also sucks is without access to this DMG, more specifically the work documents within it, my daily productivity plummets.

Finally, after nearly a week I have to admit to myself, I forgot it. That I’m in trouble. Time for Plan B. Google.

I begin searching around for DMG password cracking tools. My thought is since I have a partial password, I should be fine. Most of the results pages are littered with people responding by cracking jokes when asked about cracking DMG AES crypto. That’s not very encouraging. Then I come across something called crowbarDMG, which is basically a GUI for command:

>$ hdiutil attach -passphrase <passphrase> DiskImage.dmg 

hdiutil locks a DMG file when attempting to mount it, so crowbarDMG runs single threaded, which essentially means a cracking speed of 1 password c/s. Yeah, slow. For my particular circumstance, this was fine. I figured I was only missing between 1 – 3 characters of the password anyway. A day of cracking, maybe two, and I’d be back in business. It was not to be. Then my fuzzy memory suggested I might be missing as much as 6 characters. If that be the case, by sheer math, at least multiple  decades worth of cracking would be necessary at current speed. Time for Plan C. Twitter.

Having ~15,000 followers interested in computer security has its perks. Through the years I’ve come to expect a good percentage of them have a stinging sense of humor. Similar to the Google search, 99% of the responses received were sarcastic. This included one such retort from a friend who works in law enforcement computer forensics. I’m sure some tweets were funny, but I was in no laughing mood. I was freaked. A sense of futility and finality was setting in.

That was until Solar Designer, gat3way, Dhiru Kholia, and Magnum, the guys behind the infamous John the Ripper (JtR) password cracker answered my plea. Then Jeremi Gosney of Stricture Consulting Group graciously offered up the use of his mega hash cracking computing resources as well. You remember Stricture from their Ars article, they have an insane “25-GPU cluster cracks every standard Windows password in < 6 hours.” Collectively, these guys are the amongst the world’s foremost experts in password cracking. If they can’t help, no one can. No joking around, they immediately dove right in.

Now, I couldn’t just share out my DMG for others to attempt to crack. Its enormous size basically precluded that. But even if I could, I wouldn’t. Given the sensitive nature of the data, I actually preferred the data lost than suffer any risk of a leak. Fortunately, JtR has something called dmg2john. dmg2john scrapes the DMG and provides output which can be cracked with JtR by others without putting the data at risk. Nice! Unfortunately, when I got there, dmg2john and JtR were broken when it came to DMGs. I provided the bug details to john-dev and john-users mailing list to replicate. The JtR developers had the issues fixed in a couple days. These guys are awesome.

Next step, send the dmg2john output of my DMG over to Jeremi at Stricture along with everything I think I remember about what my password might have been. Jeremi informs me of the next challenge, he’s only able to crack my DMG at a speed of ~100 c/s! At that rate it’s going to take a little over a decade worth of cracking to exhaust the password key space. I’m thinking this is very odd, it’s only maybe 6 extra characters tops. Jeremi explains why…

The reason it’s so slow is because your AES256-encrypted DMG uses 250,000 rounds of PBKDF2-HMAC-SHA-1 to generate the encryption key. The ludicrous round count makes it extremely computationally expensive, slowing down the HMAC-SHA1 process by a factor of 250,000.

My Xeon X7350 can crack a single round of HMAC-SHA1 at a rate of 9.3 million hashes per second. But since we are using 250,000 rounds, it means I was reduced to doing ~ 37 hashes per second. Using all four processors I was only able to pull about 104 hashes per second total (doesn’t scale perfectly.)

Once understanding this, Jeremi begins asking for more information about what the extra six or so characters in my password might have been. We’re they all upper and lower case characters? What about digits? Any special characters? Which characters were most likely used, or not used? Ever bit of intel helped a lot. We managed to whittle down an in initial 41106759720 possible password combinations to 22472. This meant the total amount of time required to crack the DMG was reduced to 3.5 minutes on his rig.

Subsequently, Jeremi sent me what had to be one the most relieving and frightening emails I’ve ever received in my life. Relieving because I recognized the password immediately upon sight. I knew it was right, but my anxiety level remained at 10 until typing it in and seeing it work. I hadn’t touched my precious data in weeks! It was a tender moment, but also frightening because, well, no security professional is ever comfortable seeing such a prized password emailed to them from someone else. When/if that happens, it typically means you are hacked and another pain awaits.

Interestingly, in living out this nightmare, I learned A LOT I didn’t know about password cracking, storage, and complexity.  I’ve come to appreciate why password storage is ever so much more important than password complexity. If you don’t know how your password is stored, then all you really can depend upon is complexity. This might be common knowledge to password and crypto pros, but for the average InfoSec or Web Security expert, I highly doubt it.

Now, after telling everyone a few of my best tricks and enduring an awful deficiency in one of them, I’ll obviously have to change things up a bit. Clearly I need paper backup, and thinking maybe about giving it to my attorney for safekeeping where it’ll enjoy legal privilege protection. We’ll see.

In the meantime, I can’t thank the John the Ripper guys and Jeremi from Stricture Consulting enough. If you need a password cracked, for personal and professional reasons, this is where you look to.



  • hm

    What about content of files from your vaults left in some cache/swap? I assume someone with your admin pasword can dig them up.

    • Jeremiah Grossman

      @hm Yeah, there is probably pockets of data floating around the system, but probably not worth worrying about, and certain not enough ease the pain of losing that DMG.

    • Paul Suh

      @hm – Swap (at least) is not a problem. It’s encrypted by default on OS X using a random key that is re-generated on each boot. Even then, cache for the DMG is not a problem — the encryption key is held in “wired” memory, that the system will not swap out to disk. Other apps’ caches are more problematic, but that’s a second order problem. Everything is also vulnerable to Felten’s cold boot attack as well.

  • Christoffer Strömblad


    This has got to be every security professionals worst nightmare and I cringed while reading, hoping dear to God it would end well. Thank you so much for sharing. Made me think twice about my own routines and will be sure to make a few changes. Stories such as these are not only horrible to read but also incredibly instructive, so again thanks for sharing and documenting for the rest of us to read.

    • Jeremiah Grossman

      @Christoffer I think so to. It was horrifying. Thanks for reading and sharing your kind words. Help encourage me to write more.

  • Richard Steven Hack

    Time to reconsider Bruce Schneier’s recommendation: Write your password down and store it in your wallet.

    With caveat: When traveling, remember to take it out of your wallet, put it in a small metal tube and stick it up your butt! :-)

    • Jeremiah Grossman

      @Richard I think there is a S—aaS joke in there somewhere. LOL

  • Chris D

    I’m really curious about why Jeremi only saw a 2.8x throughput increase from adding 3 CPUs. What gets serialized that limits the parallelization?

    • Jeremiah Grossman

      @Chris Really couldn’t say, but I’m sure he would know.

  • Joshua Marpet

    Hey, don’t bother with paper, except for one type. Put all those DMG’s on a flash drive of some sort. Encrypted with a HORRENDOUS password. Go high ASCII on that bitch. Take the password, write it out on a piece of paper, seal in an envelope, seal the envelope in an evidence bag, and hand that to your attorney, with a “When I die, or ask for it back”. Attorney-client privilege is in effect (Mind you, IANAL), and you’re good. Put flash drive in bank vault. Essentially treat the data like a nuke launch code. You have to get it from offsite backup location, AND get the password from the lawyer. So a theft of one won’t lose you the data.

    Congrats on getting it back. :)

    • Jeremiah Grossman

      @Josh Recently, I would’ve said you’re a little paranoid. This month, not so much. What a difference one forgotten password can make on your personality.

    • jp

      You seem to put a lot of faith in lawyers…

      • Jeremiah Grossman

        @jp Might have to trust someone at some point. If a lawyer’s entire career is on the hook with protecting me, I think our mutual interests alignment. About the best one can expect.

        • jp

          right, but trust and security aren’t the same thing. You sound like an expert in your field. You think your lawyer spends all his/her time researching security? For CYA security, maybe good enough. I’d probably recommend placing the password in a second safety deposit box at a different bank. Laywers and their assistants can be socially engineered, or if they keep the paper in the office it would be trivial to steal or for a nefarious employee to obtain (the night cleaners perhaps). Two bank hits would be pretty bold, and in the safety deposit box, you can be more sure that it is out of sight of any employees.

          • Joshua Marpet

            JP, trust me, Jer is an expert in his field. If you were talking about me, then I’ll let others speak to that. As for the bank idea, it’s a very do-able thing. However, a Lawyer is good, because a bank safe deposit box is subject to a subpoena. A lawyer’s files are not. Attorney-Client Privilege. Forgot to mention it, thanks for bringing that out!!!


          • Reto Lichtensteiger

            Half the password with your lawyer, half in a safe deposit box.

            Thank you, Jeremiah, for the cautionary tale. We often put too much trust into our electronic (keepass etc.) and meat memories.


    • Ross

      How paranoid are you? I live in an earthquake zone and keep an off-continent backup of my most important files (encrypted, of course). If I were you I’d be thinking about two lawyers and two safe deposit boxes…

  • Colm

    Great read man, loved it.

    • Jeremiah Grossman

      @Colm thank you!

  • varmapano

    Good post. Thanks!

    To take a few more steps on the paranoid road:

    – revealing “brazilian jiu-jitsu black belt” is helpful intel for the eventual abductor :)

    – revealing “I figured I was only missing between 1 – 3 characters of the password anyway.” tells about your passwords modification schemes (even though it seems it was more in the 6 chars realm) :).

    Since it seems you are already using one very strong password for each of your DMGs, wouldn’t you prefer changing them very infrequently? There’s no real need to change a good, strong password. If there is an exploitable vulnerability in the application using it, or ways to get the password in memory, etc, changing the password will not make a difference. And if someone REALLY wants it (very unlikely), that person can get it without even touching you once.

    • Jeremiah Grossman

      @varmapano Base password + modify 4-6 chars and locate then in “random” places in the original password string. Help me have sufficiently hard passwords while keeping memorization easier.

      • Jeremiah Grossman

        Oh, I’ll have to think you the idea of “not” changing my password as you mention. Good thing to consider.

  • Matthew Zito

    Question for you – I get the concerns around being forced to hand over a password, and so on. If that’s the case, why wouldn’t you use something like TrueCrypt, where you can easily hide encrypted volumes in plain sight, and then have nested volumes, where you can give up a password that reveals one set of content (fake), but a different password reveals the real content. I’m sure you’re aware of this tech already – curious why you’re not using it.

    • Jeremiah Grossman

      @Matthew Actually, I’m not using this tech and honestly, didn’t know that feature existed. Gotta see if TrueCrypt is available for OS X. Seems like handy misdirection to me!

      • Derek

        Yes, TrueCrypt is a great tool. Even the FBI couldn’t crack it. If you use the fake outer container approach, be sure to stock it with normal-looking content that a foreign cop would believe you’d have an interest in encrypting, but is otherwise meaningless.

        • Jeremiah Grossman

          @Derek I’ve got plenty of “real” data actually, like old presentations and marketing documents, they are welcome to pilfer. That should do quite well. Thanks again for the tip!

          • varmapano

            That is called “plausible deniability”.

          • Artis

            Now that you’ve disclosed your strategy publicly, you cannot reasonably claim “plausible deniability”.

      • Phil Calvin

        Am I the only one who finds it improbable that you of all people didn’t already know about TrueCrypt?

        Is this some sort of “plausible deniability” trick, saying that you didn’t know about it? We’re on to you, Mr. Grossman.

    • ryan

      I agree, Trucrypt is a great too, and it’s hidden volumes feature is outstanding for people really interested in privacy and security. Definitely look into it.

    • Kris

      Be as it may….. anyone with comprehensive knowledge of encryption schemes and tools can easily determine that there is something awry with a fake… i.e. the RAW information on unmounted disks… If you find yourself in such a precarious situation that you have to reveal your password, ideally you’d want it to destroy the relevant data, no? This message will self destruct in 5 seconds…. POOF!

  • Ashley

    Hey have you ever put that border crossing reason for encryption to the test? Can you refuse to give password and still get on the plane?

    • Jeremiah Grossman

      @Ashely Nah, I never been asked. What I have seen are the headlines, laws, tales of others, and law enforcement statements. Makes me nervous. I wanted to be prepped for the first time, which I hope never happens.

      • Gulltopr

        Depends on where you are – but you’re definitely not leaving/entering with your electronics. In the U.S. while you don’t have to give your password to police inside the country – you can not withhold your password at the border (without risking confiscation and/or other repercussions).

        This is the reason that for most law/financial firms where professionals are traveling internationally no confidential information is stored locally on the computer, and all work needs to be done via vpn/remote desktop…so that there is nothing to find on the computer that was used for travel. I know at some firms, computers (and phones/blackberries) are specially issued for trips to places like china and russia. These are specially secured (usb ports and case seams glued in, encrypted, etc.) and are immediately erased/wiped upon return to the US – since hacking/state surveillance is so prevalent…

  • Scott Jordan


    o You describe basically the same approach that I use: a fully-encrypted disk to keep things secure, with stuff I want kept even-more-secure in encrypted disk images. I documented that on my blog at The additional trick from that post that I’d recommend for you is to consider keeping at least some of your encrypted disk images in a versioning cloud service like Dropbox. (Ideally, since like me you are using a Mac, you’d use encrypted sparse bundle disk images, which are bandwidth-friendly.) The key is the versioning: you can go back in time using their web interface and retrieve a previous version of a file. In this case, that would have allowed you to retrieve a version with your previous password. (A good incremental backup utility like Time Machine–or, for Windows, Acronis True Image–would allow retrieval of an earlier version, too, and since you’re using a Mac I’m curious why Time Machine wouldn’t have allowed you to go far enough back to get to an old-password version of the disk image.) Note 1Password has an option to store its encrypted password file in your Dropbox… a really good idea, IMHO …assuming your 1Password password is a strong one!

    o But, you seem to use really big encrypted disk images, which makes cloud storage and electronic transmittal problematic. IMHO, that’s a bad idea for things like storage of short but mission-critical things like password lists. Better to put items like that in a small disk image, maybe 20MB, just big enough for the job, when possible.

    o I hope your readers also note your vivid illustration of how beneficial strong passwords are: long ones with lots of random characters that won’t succumb to a dictionary attack, leaving the attacker with only the choice of mounting a massive compute effort. As your experience underscores, the reason this story had a happy ending is because you were able to whittle down the unknown characters in the password to a handful, vastly easing the job of the forensic pros you were working with. Lucky!

    Congratulations on your happy ending.

  • JoeChip

    Exactly the same thing happened to a friend of mine a year ago. He changed the LUKS password on his company’s main Linux server, but he never used the new password for some months and neither did he write it down. Then the server was shut down because he was sure he remembered the password, but he couldn’t remember it. The server remained offline for two weeks while I cracked the password using the bits he remembered and a custom parallel program I developed to do the key space exploration. His company survived.

    • Jeremiah Grossman

      @JoeChip Oh man, they were out of business for two weeks!? Ouch. At leasat I could get SOME work get. That’s bad.

      • JoeChip

        They did do business during that time, but only with new projects, and they redid those that were in progress. All existing information was unavailable, including emails, files, contact information, etc. I’m talking about nearly fifteen people, and they were highly demoralized at the time. It was really painful to see.

  • Ray Kaplan

    Hi Jeremiah

    Hair-raising, page-turner of a tale to be sure. Really glad that it came out well. Thanks so much for your candor, decision to share it with us, and your usual excellent writing and documentation. This tale, or a stylized version of it with lessons learned, should be required reading for …, well everybody.

    Congratulations to all of you at WhiteHat on your recent round of funding.

    Be well


    • Jeremiah Grossman

      @Ray Hey! Thanks for the kind words. I’m relieved too! I figure we learn the most from “failures” and life challenges, even in compsec where I’m supposed to be some kind of pro. hah

  • Sami Lehtinen

    This is exactly why I always keep paper backup of the master passkey. But, the paper backup is encrypted with light encryption. Why not to use strong one? It really doesn’t matter, the master password is random string and 16 chars long. Then it’s encypted with simple phrase, using substitution, partitioning and transposition. After those steps, I’m confident that the password on paper is also utterly useless to anyone without knownledge how it is encrypted and what the simple passphrase is. The backup key is also hidden outside any reasonable search area.

    You should also be aweare of corruption risk of encrypted data. There fore it’s better to always have a off-site backup set with different encryption key(s).

  • The Dude

    You’re leaving out the scenario where your attorney’s office burns down, or he has an affair and absconds to Latin America just prior to your needing the document. I’m no security professional but many times I feel guilty for leaving all my highly portable and easy to steal devices so vulnerable to these many risks you mention (theft, border inspection, etc.) I’m even more terrible about up to date, local and offsite backup. With miniaturization we really need to reconsider how security is going to work. Eventually every box of Cracker Jack will come with a robotic mosquito that can go steal all your neighbor’s passwords as he types them in. FMRI might even improve to the point you can just read the password off as brain signals as they approach the ATM or iPad. A paper backup is no panacea. In event of your death it might not be found by the people you want to find it. Or alternately it may be found by people you’d rather didn’t find it. The best solution will probably be a loyal robot butler who can manage these things for us. At least one that leads us to believe it is loyal…

    • Jeremiah Grossman

      @The Dude Think they sell a loyal robot on Amazon? I have Prime! :) As long as my data is backed up and protected in such a way that it satisfies my paranoia, I can live with that. I got a few details wrong in my model and I’ll adjust accordingly.

    • BraveNewCurrency

      > The best solution will probably be a loyal robot butler

      And where do I store the root password for controlling the butler? Turtles (I mean Robot Butlers) all the way down?

  • Olaf Noehring


    for simple safety I would recommend

    Also I follow the idea of depositing the password some place safe – and by this I do not explicitly mean a lawyer. I suppose parents, grandparents make up for this too.

    For myself I decided not to use any encryption on backup files. I can understand your concern about a stolen laptop, and your idea of putting password into encrypted containers is quite nice. Nevertheless – an unencrypted backup, maybe in the vault of your bank – or again at some family member you can trust completely (I want to point out, that in marriage there is sometimes … let’s say .. a problem) is the most appealing to me. If your data is so important to you I think you probably have a backup offsite(!) – just in case the house burns down or a burglar happens to find your data.


    • Jeremiah Grossman

      @Olaf I use different physical locations for my backup data, which is not on a network. The thing is, I’m just as concerned with physical possession being obtained by law enforcement warrant as a robbery. In that sense, a safe is not good enough for protection plain text data.

  • fucktard

    god damn it you are a massive retard for forgetting your password; just use your pets name next time.

    • Jeremiah Grossman

      @fucktard my dogs name is $8ahad_^

      • Joshua Marpet

        Had to re-read username. made me blink. Jer, you’re normally so soft spoken. True Laugh Out Loud. :)

  • SG

    I like your setup in general, but I find the only issue with storing such large amounts of data in a disk image is that you can’t change the password of that image. Even on a semi-regular basis it would be tedious as the only real way of doing it is to create a new disk image with a new password, and then drag all your files across from the old one.

    I’m guessing this is what you had to do once your password became known by those involved?

    • Jeremiah Grossman

      @SG You are exactly right and that is correct. Fortunately I never had to give the DMG in question to anyone. It stayed with me.

      • Zusukar

        I’m not sure if you understood fully what SG mentioned. Your password decrypts the actual key used to encrypt the DMG. This is why you can change your password and not have to re-encrypt the gigs of data in the DMG. When you change your password, it only changes the encryption on the real key. The bit that dmg2john extracts is the encrypted key. For your password to be found, they verified that they could decrypt the actual key. They no longer need your password and it doesn’t matter if you change the password, they have the real key that doesn’t change. As SG said, you need to create a new DMG so that you get a new “real key” and move all of your data to that DMG.

        Also, you say that they emailed you the password after it was found? Hopefully that was encrypted email since most email is in the clear :)

  • Eric

    “…an awful deficiency in one of them”; care to share a detail or two?

    The password :

    Part one -> attorney

    Part two -> bank vault

    • Jeremiah Grossman

      @Eric That was one of the deficiencies…. lack of paper backup. Gave too much credit to my memory. I must be getting old or something.

  • Aleksandr

    Don’t rely on paper backup. Instead, rely on securely splitting up your password:

    • Jeremiah Grossman

      @Aleksandr This sounds like a good idea. I’m in the process of reconsidering all my personal computer security habits. This could come in handy. Thanks for sharing!

  • Jonathan S. Fisher (@exabrial)

    I have the EXACT same problem, but I just gave up hope. Is there a way I can get ahold of him? I’d certainly pay for his services!

    • Jeremiah Grossman

      @Jonathan Get ahold of the guys at Stricture? Just call the number of hit em up on Twitter.

      • Jonathan S. Fisher (@exabrial)

        I will thanks! If I wanted to try my hand at it first, do you have the configuration you used for johntheripper? I successfully compiled the whole thing and dmg2john, but I don’t understand how to setup an incremental search using just select letters on my keyboard

  • Pingback: How a security ninja cracked the password guarding his most valued assets |

  • Pingback: #breakingnews How a security ninja cracked the password guarding his most valued assets |()

  • Pingback: Sõnumid lahinguväljalt » Blog Archive » RT @mikko: Great story from @jeremiahg about despe…()

  • Alfred

    Oh, come on man, after all this you GOTTA share the password with us! I’m dying of curiosity! Besides, I guess you must’ve changed it by now so…. Please? 😀

    • Jeremiah Grossman

      @Alfred LOL. No chance in hell. Should someone have ever gotten that DMG, somehow, someway, they could unlocked it.

      • Joshua Marpet

        Admit it, Jer, it was hunter2. Or 123456, right? 😉

  • Pingback: How a security ninja cracked the password guarding his most valued assets - Hit Me Back()

  • Tony Perez

    Man, that is one daunting tale. One of my colleagues just went through this, but unlike you, he remembered it two days later. Very glad it worked out for you.

    Oh, and thanks for sharing some of things you do. You gave me a number of things that I should be doing as well. I do wonder what the impact of using FileValut is with something like TrueCrypt and Dropbox. I don’t store much of anything locally, but I use a TrueCrypt container which I store on Dropbox.

    Any thoughts on that? Any preferences on the use of encrypted containers and the cloud?

    And yes, that BJJ BB would hopefully be of some use in the event of a guy coming at you with a wrench.


    • Jeremiah Grossman

      For myself, I figure everything that goes into the cloud, or things like Dropbox, is basically public. I’d prefer for my most prized data possessions that people not even get the opportunity to hack at it. For other types of data, that might be perfectly acceptable risk / convenience.

  • Pingback: Jeremiah Grossman on ‘Password Cracking AES-256 DMGs and Epic Self-Pwnage’ « counter hack()

  • Jacob Yocom-Piatt

    loss of a crypto passphrase is such an awful failure mode that i’ve managed to never lose one myself.

    your solution was definitely interesting, i like to keep an encrypted offsite copy of my data whenever possible.

    • Jeremiah Grossman

      My data size was many gigs, so paper backup wasn’t necessarily an option. Fortunately, I came out of the incident relatively unscathed. Not must figure out how best to account for that with a new person security system.

  • Stefan sing

    My master password is split using shamir’s secret sharing among very close friends and relatives, and a minimum threshold of passwords from the pool of shared keys is needed to decrypt the password. For good measure I also share the php code to the application.

  • varmapano

    Not letting DMGs or TrueCrypt volumes “mounted” or “opened” for long periods when unnecessary is a very good idea.

    • Jeremiah Grossman

      It can be a bit annoying, but its meaningful security trade-off to me.

  • gdhefts

    Use SHA1_Pass to recall your passwords.

  • Alex

    Hi Jeremiah,

    Very interesting read. I recently launched to help with this exact scenario. It’s a web app that can generate “shares” of a password, each share being a random number that doesn’ t reveal anything about the original password. Reconstructing the password requires only that the “threshold” number of shares are available. Check it out and let me know what you think.



    • Jeremiah Grossman

      I will do that. Thanks for the tip!

  • Pingback: How a security ninja cracked the password guarding his most valued assets | Systems Technology Consultants Ltd – SYTECH()

    • Kevinv

      Whenever I change my password I force myself to immediately use it at least 3 times right away. This helps embed the be password in my head. So for a DMG I mount, unmount, remount the image several times.

  • Pingback: How a security ninja cracked the password guarding his most valued assets |

  • Pingback: Security News #0×34 « CyberOperations()

  • Don

    How will this change the way you choose and store passwords?

    • Jeremiah Grossman

      Working on that now actually. I make changes to my personal behavior this way slowly as a lot of variables needs to be accounted for.

  • czero

    why cracking when you can use Inception?

    If you have physical access to the machine you can attach over Thunderbolt…

  • Pingback: Larwyn’s Linx: Where Was Obama on Night of Benghazi Attack? WH Isn’t Saying | Preppers Universe()

  • oomph

    You should consult your attorney (or several) before believing that privilege will protect your information: Attorney-client privilege may cover 1. confidential 2. communications 3. between attorney and client 4. undertaken for the purposes of providing or receiving legal advice. It seems doubtful that the scenario you describe would satisfy all those criteria. There is no privilege for information you’ve merely required your attorney to hold on your behalf without some significant nexus to actual legal advice. Actual assessment and application of criteria varies by jurisdiction. Could you link the provision of the paper backup to counsel with some relevant request for legal advice? That link would still be subject to challenge, evaluation of which might involve limited disclosure to the court, and which, of course, might result in a finding that no attorney-client privilege actually obtains in the document.

  • Pingback: Password hell geek style. | Gordon's shares()

  • Kris Davis

    SpiderOak offers an encrypted, hands off approach to your data. If you lose the password, you are SOL. Just an idea for a location to store an encrypted password file. 2GB free. More is cheap. TrueCrypt as mentioned is amazing. There is a lot of wizardry you can do with it. ImDisk RAMdrive software to mount IMG in RAM is not bad either. Reboot and everything is cleared out. Doesn’t touch the local drive that way.

  • Pingback: Liquidmatrix Security Digest Podcast – Episode 20 – Liquidmatrix Security Digest()

  • Pingback: Cuando los expertos en seguridad olvidan las contraseñas | InformationWeek México()

  • Pingback: Weekendowa Lektura | Zaufana Trzecia Strona()

  • Pingback: WatchGuard Security Week in Review: Reader 0day | WatchGuard Security Center()

  • Pingback: Password Horror | Irreal()

  • Amos Shapir

    FWIW, I also use one Very Important Password, but there’s little chance I would ever forget it, because I only ever change it if I suspect it may have been revealed. Since I never write it down nor disclose it to anyone, I don’t think this would actually ever happen (especially considering the effort described in this article).

  • Stefan Alfredsson

    Maybe I missed something, but why not restore the last backup of your disk image (before the password change)? This image should still be encrypted with the old password. Sure, you’ll lose a few hour/days/weeks work, but compared to the alternative of losing it all it seems pretty good?

    By the way, I would fully recommend truecrypt instead of your current approach, for many reasons. One is portability, the image can be mounted on OSX, Windows, Linux, etc. Another would be plausible deniability, an encrypted volume is undetectable. A third is the “hidden volume” feature: Decrypt a volume with one key: Get family photos. Decrypt the same volume with another key: get sensitive documents.

  • Edie

    I got here from Tidbits and as a casual computer user I am go smacked by what sorts of information All You Big Users must have that requires contemplation of border guards, drugs and torture. I don’t even have a lawyer. Really, truly. I am boggled. My craft tutorials and dog pictures that I so carefully 1Password seem…. Well, they are important to me and my world, so that is what matters. Thank you for sharing your experience! I learned a lot, mostly about what I don’t know enough about to start learning about it. That makes today a good day!


  • Brian Rossmajer

    It sounds like the Truecrypt feature you really need is volume header backup. Have a look around the middle of this page: … once you backup the volume header, uuencode it, QR encode it, print it, and put THAT in your lawyer’s safe. If you ever lose your password you can restore the header from the printout, even if you’ve changed the password since you created the header backup.

  • Mik Dunt

    You should stop smoking marijuana!

  • Alex Santos

    Wow, what a ride! I haven’t read something like this in a while. My passwords are all 31 characters of random trash, I would never be able to remember them. I better come up with a solution. So I have to consider a print somewhere in a very secret place and should I (gulp) leave it with an attorney or an actual bank vault? I apologise for all the grief you went through, including your wife. Thanks a million for leaving us your experience. Fantastic read and many terrific lessons learned. I would have one problem, I don’t have all those contacts you do. Cheers!

  • Pingback: Cracking AES-256 DMGs and Epic Self-Pwnage | The Real Nirv()

  • Pingback: What was that password again? | meditationatae()

  • Pingback: Secure hash and salt for PHP passwords | Everyday I'm coding()

  • Kez

    Oh dear! I have been in this situation and know so many others who have! I don’t think there is anything worse. We keep so much of our lives on our computers, being locked out feel like you have been locked out of your entire life! If it ever happens again just check out it literally saved my (virtual) life and was sooo quick and easy to use!!!

  • games sex

    Hi there, just turned into aware of your weblog thru Google,

    and found that it is really informative. I’m going to be careful for brussels. I will be grateful if you happen to continue this in future. Numerous folks can be benefited out of your writing. Cheers!

  • Pingback: Security Expert Turns to Password Crackers for Help | In The Wild Testing Blog()

  • aes expert

    aes256 could be decrypted in less than 1 second

    • FreeBSD4me

      How about providing more details AES Expert? Are you saying a DMG file encrypted with AES256 using a password like “Il0ve_Stup1d_Tr0||$!” can be cracked in one second?

  • paul

    Really you did this all wrong since your entire password sounds brute forceable. The way I do it is:

    – set passphrase to random dictionary words, like Make no attempt to memorize phrase. Write it down on slip of paper and carry in pocket.

    – When necessary to use it (i.e. a few times a day for typical logins), refer to the slip of paper.

    – After a day or two you’ll remember the passphrase, so you no longer need the paper and can shred/burn/eat it. Done.

  • JasonL

    Thanks for the post! I had similar situation of losing a huge encrypted DMG file. However, in my case, it was due to simultaneous failure of two hard drives in an unraid system. Sections of the hard drives corrupted caused the DMG to be corrupted… everything else (non-encrypted) was fine…


  • attellian

    Just a heads-up. When I tried to sign in with twitter. I got the following error message. I’ve obfuscated it partially:

    POST to*****94c9&p=2047 failed: error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112)

    Back on topic. I never had a tech blog get me on the edge of my seat. Thanks for sharing this terrifying, but fascinating ordeal.

    I’m very confident that I’ll never forget my main pass. It is an initialism of a childhood song that I wrote myself, a song that is burned into my synapses from singing it for years. Among it are caps and special characters in places that make complete sense to me in the context of the song. It is 40-ish characters in length, and have served me well as a pass I’ve never written down, and never will.

  • Pingback: Do’s and dont’s secure hash and salt for PHP passwords « WebTUTs 2.0()

  • Joaquim

    10 min of my life wasted Reading this shit

  • Chuck

    I have been doing the same thing ever since going thru a border crossing and watching the officer spend 45 minutes opening up family photos and secure work files. It was very troubling, losing all control of what was opened. I do not have any files that would have put me at risk, but the loss of security for my work files.

    I appreciate your efforts to recover your files, but I would rather you were unable to recover then to know they can be broken into. I have a friend in the customs department, who says government agencies do have the ability to open our encrypted files.

  • Pingback: Secure hash and salt for PHP passwords | Top of the Stack()

  • Pingback: How to: Secure hash and salt for PHP passwords | SevenNet()

  • Pingback: Fixed Secure hash and salt for PHP passwords #dev #it #asnwer | Good Answer()

  • Pingback: InTelligence Blog Open Season on Passwords » InTelligence Blog()

  • Dave Petree

    Well, I just recently solved the password recovery problem. Should have our beta done by end of this week. AES file level encryption with a password recovery :)

  • Alexander

    Hey Jeremiah, thanks for an awesome post!

    I’m in your shoes right now and wanted to ask you what tools did you use for estimating password list size and it’s actual generation from those details about the password you could remember?

    I mean of course I can count it on the paper but maybe there’re tools out there that can simplify and speed up the whole process..

  • Pingback: Secure hash and salt for PHP passwords - HTML CODE()

  • Edward

    I have an encrypted external drive that I made on Mac OS X El Capitan. I am wondering if there is a way to crack my passcode I lost, I know the first five or so out of twelve or so characters of my password. Mac OS X asks for the password to mount the drive. Help! Thanks.

  • Aurelian N

    Hello, I had the same issue like you but my problem is that I don`t remember my password at all, is there a way to get the data back from that storage ? I have a 2 TB WD storage that holds all my life data . I don`t manage to recover that I`m like dead.

    Please help me .

    Thanks in advance.


  • Nícolas Wildner

    This reminds me this guy, that had almost the same problem wiht OpenBSD FDE, and a misspelled Italiand word among those who composed the password.

    What was the language of your password missing word? lol

    Thanks for sharing you story.