[OT] passphrases Was: Re: Allowing paste into pinentry-gtk-2?

lists at meumonus.com lists at meumonus.com
Tue Apr 19 05:13:55 CEST 2011 

I think a lot of this password philosophy is nonsense for most people. The only things that are likely to be brute-forced are Edge devices with some sort of tactical purpose. Average Joe user is more at risk from phishing or another social engineering tactic.

I'm a big fan of ridiculously large passwords that are completely unintelligible that include all sorts of !)/GJhj32;':" characters for static non-user based accounts. Now that password has to be stored though, which then gets into how should the password itself be secured...

-Devin
Sent on the Sprint® Now Network from my BlackBerry®

-----Original Message-----
From: David Shaw <dshaw at jabberwocky.com>
Sender: gnupg-users-bounces at gnupg.org
Date: Mon, 18 Apr 2011 22:21:49 
To: Robert J. Hansen<rjh at sixdemonbag.org>
Cc: GnuPG Users<gnupg-users at gnupg.org>
Subject: Re: [OT] passphrases Was: Re: Allowing paste into pinentry-gtk-2?

On Apr 18, 2011, at 6:56 PM, Robert J. Hansen wrote:

>> Yes, well, that would mean that a 32-character English passphrase will
>> average about 64 bits of randomness. Is that really enough to protect
>> a key from an offline brute force attack? I think not, but am open to
>> being persuaded. :)
> 
> As I've said a few times now, no question about "is X really sufficient to protect a passphrase from being broken?" can be answered without a lot of context.  Who are you worried about breaking it?  How hard will they try?
> 
> To give you an example, RC5-64 was a giant distributed network of computers run by hobbyists using spare CPU cycles, trying to brute-force a 64-bit key.  Their volunteer network was much larger than anyone outside of megacorporations or First World intelligence agencies or major crime syndicates have.
> 
> It took them eighteen months.

Actually around 58 months: just under 5 years.

> 64-bit crypto isn't good for long-term storage, but if you want to foil someone who doesn't have megacorporation-level resources for a period of months or years, it'll do just fine.  Against First World intelligence agencies it might take a few seconds.

Are you asserting that there exists a group that can brute-force a 64-bit key in a few seconds?

David


_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

More information about the Gnupg-users mailing list