FORGOT PASSPHASE

Ryan Malayter rmalayter@bai.org
Wed Oct 24 16:41:01 2001 

Even if you only used the 32 lower case letters, and your passphrase was
really a random 36-character string, then you're talking about 160+ bits of
entropy. That makes the key is completely unrecoverable, even using billions
of years and every (conventional) computing machine on earth. A
general-purpose quantum computer might theoretically be able to crack it in
a short time frame, but such a device has not yet been publicly announced -
maybe the NSA has one.

If your passphrase is 36 characters long and made up of dictionary words
separated by spaces, well, that makes a brute force attack a lot easier -
but certainly not *easy.* 50,000 english words at 5 characters (average)
apiece, separated with spaces... That makes 5 English words in the
passphrase. That's still 80+ bits of entropy. Distributed.net has been
trying to brute force a 64-bit password for 3+ years using the equivalent of
250,000+ Pentium 300s. And distributed.net is only a bit more than halfway
done.

Unless your original passphrase was quite short, a brute force attack is
probably not feasible. If you consider a passphrase using only the 96
"typable" characters on a standard PC keyboard, any passphrase longer than 7
characters (96^7 ~ 2^46, or a 46-bit passphrase) is probably not crackable
using a the computing resources available to an individual.

If you were careless enough to make your passphrase was a single dictionary
word, it can probably be cracked in minutes, if not seconds, by simply
trying every word in a dictionary.

Regards,

:::Ryan Malayter, MCSE
:::Bank Administration Institute
:::Chicago, Illinois, USA


-----Original Message-----
From: Richard B. Tilley [mailto:rtilley@vt.edu] 
Sent: Tuesday, October 23, 2001 3:50 PM
To: gnupg-users@gnupg.org
Subject: Re: FORGOT PASSPHASE


How long would a brute force attack take if I had a pass phrase that
contained 3 dozen chracters and 8 empty spaces? Say the processor is 1Ghz.
It may not be impossible, but it maight as well be.

On Tue, 23 Oct 2001 23:25:24 +0300
Tommi Vainikainen <tvainika@cc.hut.fi> wrote:

> On Tue, 23 Oct 2001, rtilley@vt.edu wrote:
> > I think it's impossible. If you can't remember the passphrase, then 
> > you are out of luck.
> 
> Not of course impossible.  Bruteforce attacks work always, ie. just 
> trying every possible password.  Also keep in mind that password is 
> usually shorter than key.
> 
> --
> Tommi Vainikainen
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org 
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


-- 
Richard B. Tilley (Brad)
Linux Systems Administrator
Virginia Tech Office of the University Bursar
233 Burruss Hall, Blacksburg, VA, 24061
Phone: 540-231-6277 or 540-231-7437
Pager: 557-0891
Fax: 540-231-3238
Web: http://bursar.vt.edu

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users