There is no limit on the length of a passphrase,

Robert J. Hansen rjh at sixdemonbag.org
Wed Oct 22 05:10:01 CEST 2008


Morton D. Trace wrote:
> Dear list readers I just found this article.

Be careful of anything you get off the internet.  This article is not
especially good.

> Calculating the entropy of a password is here well explained,
> I don't know if it is mathematically correct,

[shrugs]  Yes.  No.

The reality is that very few people let a CSPRNG spit out a base-64
password for them to remember (six bits of entropy per glyph).  They're
hard to remember.  Good passphrases are easy to remember but hard to
guess, which means they need to be rather large pieces of text.

Per Shannon's estimates, there are roughly 1.5 bits per glyph of English
text.

> one unicode character has approx three times the entropy as one ascii
> character.

That's assuming you're picking randomly from Unicode code pages.  If you
don't mind having "Tamil vowel sign au", "Linear B ideogram B182", "full
outer join", "circled Hangul Pieup A" as your passphrase, then you can
get some pretty good entropy.  The problem comes from having to enter
... well ... Tamil vowel sign au, Linear B ideogram B182, full outer
join and circled Hangul Pieup A as your passphrase.  Good luck
remembering it: I bet you'll forget it in under a month.

> I'd really like to see UTF-8 supported in GnuPG and be able to type some
> characters from my keyboard,

UTF8 is supported.  However, your OS may not support it.  That's an
OS-level issue, not a GnuPG issue.  My Mac supports UTF-8 just fine,
including exotics like "circled ideograph wood".

> and additionally select some cool unicode letters from a language only I
> know.

If only you know it, then kiss randomness goodbye.  Someone who wants to
attack your passphrase will focus their attack on symbols from languages
you know.  The only defense is to pick randomly.

> Can GnuPG accept UTF-8 Characters as passphrase input?

Depends on your OS.

> will additional UTF-8 unicode passphrase support increase the entropy
> according to my entropy calculations?

Yes, but this is a case of buying a few hundred yards of rope just to
make _sure_ you have enough with which to hang yourself.





More information about the Gnupg-users mailing list