# How secure is GnuPG

**Daniel Carrera
**
dcarrera@math.toronto.edu

*Tue Jul 23 23:00:01 2002*

>* Yes, but most people don't have passphrases that are that long.
*>* Something you should remember is that statistically, in English, each
*>* letter has about 1.3 bits of entropy. Therefore, you need a 98/99
*>* character passphrase.
*
I'm confused. Perhaps I have severely misjudged the security of my
passphrase.
This is how I calculated it:
Suppose that my passphrase has only lowercase alphabetic characters and
has n characters. Since there are 26 letters, the number of possible
permutations is 26^n. Thus, if I want security at least as good as a 128
bit key, I require n such that:
26^n >= 2^128
That gives n >= 28.
If you use mixed case letters and numbers you need:
62^n >= 2^128
Which gives n >= 22
A passphrase with 28 letters is not impossible to remember. You could,
for instance, come up with a paragraph with more than 28 words and take
the first letter of each word. That's not quite random, but pretty good.
Add a few unusual characters here and there, some random capitalization
and you'll be good.
Since I know how to type, 28 characters aren't too bad.
Have I made a mistake somewhere here?
Daniel.