[OT] passphrases Was: Re: Allowing paste into pinentry-gtk-2?

Todd A. Jacobs codegnome.consulting+gnupg.org at gmail.com
Sun Apr 17 04:56:59 CEST 2011


On Sat, Apr 16, 2011 at 11:00 AM, Peter Pentchev <roam at ringlet.net> wrote:
> Mine, for instance, is over 30 characters long and, while it is derived
> from a couple of phrases, none of its components would be found by any
> reasonable brute-force or even dictionary attack, even by people who
> know me (please note that I did say "reasonable" WRT resources).

So, no common prefixes, suffixes, or parts of words? No syntactical
regularities, such as punctuation at the end of a sentence? No
language-specific dipthongs, digraphs, etc? No regular substitutions
(e.g. 3 for E)? So on and so forth. :)

While I'm not disputing that you've created a reasonably strong
passphrase, my original point was that any passphrase that isn't fully
random has a reduced keyspace. I'm not enough of a mathemagician to
say how much it's reduced, but it's certainly reduced by a non-zero
amount.

Consider:

    Th qk brwn fx jmpd vr th lz dg.

None of the words are in an English language dictionary, but I can't
imagine anyone saying this would be resistant to a dictionary attack,
since any good cryptographic dictionary would probably take such
regular transformations into account. At 32 characters, it's certainly
random enough to stump a human's brute force attempts, but I wouldn't
hold it up as the gold standard for protecting cryptographic keys.



More information about the Gnupg-users mailing list