Interesting article on password guessing via cloud computing

vedaal at vedaal at
Thu Nov 5 16:05:19 CET 2009

David Shaw <dshaw () jabberwocky ! com>
wrote on 2009-11-04 18:34:49 :

>This is not, of course, an OpenPGP "crack", but rather high-speed  

>password guessing. 

a trivial way to defeat this,
would be to provide each client with a pgp keypair, 
(physically presented to the client upon the initial transaction 
and then encrypt the zipfile to a key and not even use a passphrase

what would be even more interesting,
is if it could be done in a way that truecrypt uses to protect its 
encrypted volumes, where the user can choose to use a keyfile as 
well as a passphrase, but it cannot be determined before decryption 
if a keyfile, passphrase, both or only one,  has been used

so, imagine if a client has a zipfile encrypted to both a trivial 
password and to a pgp key, and it is not determinable from the 
encrypted file itself, if it was encrypted to a key as well,

all the cloud computing resources available will merrily spin 
themselves into exhaustion ubtil they decide that the passphrase is 
'probably too long and complex to crack'


More information about the Gnupg-users mailing list