Is it a bad idea to use the same password and container size for multiple veracrypt container?

Question

I'm new here and have a basic question about encryption. I plan to securely store sensitive data on a company computer. Being one of hundreds little branches of a bigger company, it is not possible to turn off the computer after business hours (back ups, updates, data exchange).

I started storing documents in Veracrypt containers. I create a new one for each month and as I don't know how much data will end up there, I always use the same container size that fits them all in. Of course I also use the same password for each container. The password itself is secure.

Now after reading a bit more into encryption, let us assume: Someone gets access to the computer and finds multiple containers that all have the same size and password (which the person doesn't know), can the person compare them and resolve the encryption or password?

In other words: Does using the same container size and password for multiple files create a vector of attack to resolve the content of the data?

I hope you got what I mean, English isn't my first language.

Thanks in advance.

Answer 1

I don't know and can't think of any specific risk associated to using the same container size for several VeraCrypt volumes. It's not making the containers use the same master encryption key, even if the password is shared: that key is random and (with overwhelming certainty) unique per container. If it was not, that would likely have been caught by this competent 2020 audit, which I summarize as: VeraCrypt is nearly as secure as a collaboratively written software of this large size and old roots can be.

On password reuse, a digest of textbooks on security, or the need to be unobjectionable in a Big Company's IT policy, leads to this answer, which is that password reuse is baaad. Which is very true for passwords to websites.

But the risk of password reuse in encryption must be balanced against other risks:

• If we use multiple passwords, and forget one, the corresponding data is lost. This risk is unique to encryption; it does not apply to most websites. This risk augments very quickly with the number of passwords, in particular because most humans remember passwords only when used often.
• If in order to avoid the increased risk of the above we write down the multiple passwords, they can get compromised thru that paper backup. While a paper backup is not necessarily bad, that should be in a tamper-evident sealed opaque envelope, thus impossible to use on a regular basis.
• There's very real risk that the password(s) are compromised thru penetration of the computer's hardware (keyboard itself; it's USB or PS/2 bus if wired, radio link if wireless; it's memory which can be probed thru a PCI device or controller on this bus, or thru the BIOS), and of course a compromise of the OS. At least the last attack can compromise the data without needing the password. When such attack is setup, several passwords give little more protection than one. Thus we must not be overconfident in the security provided by password-based encryption anyway.

So in my opinion, if the secret data is to be accessed by a single person (or group of persons sharing the password and access rights to all the data) on a single computer (or a set of computers with no segregation of some data to a subset of computers), the best option is a single memorized passphrase.

Answer 2

Yes, using the same container size and password for multiple Veracrypt containers creates a significant vector of attack, even if the password itself is strong. Here's why:

Brute Force Attack: Attackers can perform a brute-force attack against one container and, upon success, use the same password on all other containers of the same size. This significantly reduces the effort and time required to access all your data.