[Q] Diceware password size

Ryan Malayter rmalayter@bai.org
Wed May 28 19:17:02 2003 

From: Daniel Carrera [mailto:dcarrera@math.umd.edu]=20
> What precautions would you suggest be used to protect one's data?
>=20
> I mean, if it's so easy to grab the pass phrase as you say it is, why=20
> bother with GnuPG at all?

GnuPG is good at protecting against the attacker without the means to
target you specifically. For example, there are reliable source which
sate that the FBI and NSA scan most unencrypted email on the internet by
having filters installed at strategic choke points on the Internet.=20

GnuPG is also good for sharing information securely when another channel
is unavailable. When I need to change a password or the configuration of
a machine hosted off-site, I send the hosting service a signed and
encrypted email with my configuration changes or password information.
Voice mail or even plain telephone isn't secure enough, and I'm not
driving over there every time.

GnuPG is useful because it makes intercepting or forging messages orders
of magnitude harder. It is very easy to do these things on unencrypted
communications; using GnuPG takes out >>90% of your potential
adversaries. A snoop or hacker that is not specifically after *you* will
simply move on to an easier target.

> What advise would you offer?

Assume that anything you put on your PC is vulnerable to a determined
attacker that is targeting you specifically, be it a skilled hacker,
espionage agent, or police agency.

There are analogs for GnuPG's shortcomings in the physical world: using
a bank's safe deposit box protects you from 99% of the people who would
want to get at your valuables. But someone could always mug you and take
the key, or make a copy by breaking into the locker room in your health
club and stealing your ID and the key. Of course a police agency can
usually get a court order to look in the box.=20

But by using the safe deposit box, you reduce the spectrum of attackers
to those who are especially skilled or powerful and want to target you
specifically.

	-Ryan-
:::::::::::::::::::::::::::::::
The inherent vice of capitalism is the unequal sharing of blessings; the
inherent virtue of socialism is the equal sharing of miseries.
     -Sir Winston Churchill