On Wednesday night I tweeted this:
If you are using TrueCrypt you should stop. Hashcat is now optimized to crack TrueCrypt volumes. https://t.co/voBdtKuuHW
— Jerry Gamblin (@JGamblin) December 10, 2015
I started getting retweets and replies like this on Friday from people I respect (and a bunch from people I don’t know):
@JGamblin this is a non sequitur. there are valid reasons to stop using TC, but Hashcat isn't one of them.
— Kyle Maxwell (@kylemaxwell) December 11, 2015
https://twitter.com/averagesecguy/status/674768017864134657
So people REALLY like TrueCrypt or I didn’t make my point articulately enough. In case I didnt make my point well enough I will try to lay it out here.
3 Reasons Why I Think You Should Stop Using TrueCrypt:
The developer stopped maintaining it, took down the webpage and replaced it with this.
“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues“.
I think that this reason should be more than enough to get 99% of people to stop using it.
The latest version of HashCat includes support for TrueCrypt volumes.
If you are using good passphrases (most people don’t) it really isnt a big deal but it does lower the level of complexity for hacking a TrueCrypt volume with a weak password from a medium-high skill level (Think Security Professional) to downloading kali and following instructions (Think Help Desk Analyst).
The developer stopped maintaining it, took down the webpage and replaced it with this.
“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues“.
There are many other open source and paid alternatives that you can evaluate and pick the best one for you. So unless you have an amazingly valid reason to not move off of TrueCrypt you should move off it as soon as possible.
