This project has moved. For the latest updates, please go here.

Changing the Password - Does it result in a loss of security?

Topics: Users Discussion
Sep 9, 2015 at 7:31 PM
This may be a stupid question, but bear with me here.

Let's say I change my password after system encryption, and I choose another password that is exactly equivalent in security level (same length, same amount of special chars / numbers, etc.). Does the process of changing the password result in any loss of security all else being equal?

I'm wondering if changing the password leaves any artifacts or somehow weakens the encryption, giving an attacker an easier time in cracking the system. Can I change my password as many times as I want with no loss in security?

Second question, if I change my password or PIM will VeraCrypt have to re-encrypt the system?
Sep 9, 2015 at 8:09 PM
Does the process of changing the password result in any loss of security all else being equal?
.
No.
.
I'm wondering if changing the password leaves any artifacts or somehow weakens the encryption, giving an attacker an easier time in cracking the system. Can I change my password as many times as I want with no loss in security?
.
If an attacker has access to your old header key and they know your password, keyfiles and PIM, they can use the old header key to mount the volume. The header key contains the encryption key (AES, Twofish, Serpent) used to perform the on-the-fly encryption/decryption. The only time you create the encryption key is during the create volume process. You cannot change the encryption key unless you decrypt and re-encrypting the volume again.

.
Second question, if I change my password or PIM will VeraCrypt have to re-encrypt the system?
.
No. For system encryption, recreate the rescue disk. For non-system encryption, create new external header key backup.
Sep 10, 2015 at 2:31 AM
Edited Sep 10, 2015 at 2:32 AM
Thanks for your reply.

I've successfully changed my password. After the password change, I received a popup from VeraCrypt with the following message:
IMPORTANT: If you did not destroy your VeraCrypt Rescue Disk, your
system partition/drive can still be decrypted using the old password (by
booting the VeraCrypt Rescue Disk and entering the old password). You
should create a new VeraCrypt rescue Disk and then destroy the old
one.
From what I understand, this message is telling me that I can still decrypt my HD using the old rescue disk. How is this possible when I changed the password?
Sep 10, 2015 at 3:03 AM
Edited Sep 10, 2015 at 3:13 AM
Because the old rescue disk has the old header key that is created using the old password.

https://veracrypt.codeplex.com/wikipage?title=VeraCrypt%20Rescue%20Disk

.
WARNING: By restoring key data using a VeraCrypt Rescue Disk, you also restore the password that was valid when the VeraCrypt Rescue Disk was created. Therefore, whenever you change the password, you should destroy your VeraCrypt Rescue Disk and create a new one (select System -> Create Rescue Disk). Otherwise, if an attacker knows your old password (for example, captured by a keystroke logger) and if he then finds your old VeraCrypt Rescue Disk, he could use it to restore the key data (the master key encrypted with the old password) and thus decrypt your system partition/drive
Sep 10, 2015 at 3:29 AM
A little confusing and counter-intuitive, but it makes sense. Thanks for the help.
Oct 23, 2015 at 9:27 PM
Edited Oct 23, 2015 at 9:28 PM
Hi, Newbie here.

Just want to confirm that the this resue disk etc mentioned above are not applicable if you are changing the password for a container volume. Am I right?
Oct 23, 2015 at 10:07 PM
Edited Oct 23, 2015 at 10:11 PM
asker123 wrote:
Hi, Newbie here.

Just want to confirm that the this resue disk etc mentioned above are not applicable if you are changing the password for a container volume. Am I right?
Correct. The Rescue Disk is only for system encryption.

You can make an external backup of the header key using the Volume Tools button which I recommend. Anytime you change the password for non-system volumes, create a new external header key backup file and destroy the old external file backup for the same reasons I discussed for the Rescue Disk.
Oct 23, 2015 at 10:52 PM
Enigma2Illusion wrote:
asker123 wrote:
Hi, Newbie here.

Just want to confirm that the this resue disk etc mentioned above are not applicable if you are changing the password for a container volume. Am I right?
Correct. The Rescue Disk is only for system encryption.

You can make an external backup of the header key using the Volume Tools button which I recommend. Anytime you change the password for non-system volumes, create a new external header key backup file and destroy the old external file backup for the same reasons I discussed for the Rescue Disk.
Thank you for prompt answer. When I am backing up the header key ( for a container volume) , after providing the password , it asks me whether I have a hidden volumne or not. I answer 'No' as I do not have it . Then it again asks to confirm whether I want to create the volume backup header or not. It says "Both the standard and hidden volume headers will be re-encrypted using a new salt and stored in the backup file....."

I hope it does not reduce the security in any way as also asked by OP.....
Oct 24, 2015 at 1:05 AM
Edited Oct 24, 2015 at 1:18 AM
asker123 wrote:
I hope it does not reduce the security in any way as also asked by OP.....
No impact to the security. The message is telling you that VeraCrypt is creating a new header key to store in the external file. No different process than when VeraCrypt create the original header key for the volume.