maximum passphrase for symmetric encryption ?

Jerome Baum jerome at
Tue Dec 27 23:23:50 CET 2011

On 2011-12-27 23:14, vedaal at wrote:
> Is there a maximum size for a passphrase for symmetric encryption 
> in gnupg, or does a passphrase exceeding a certain size not add any 
> further security to the process?
> Example,
> The session key for AES 256 is 64 hexadecimal characters.
> The approximate equivalent in brute force work is 20 diceware 
> words.
> [ 7776^19 < 2^256 < 7776^20 ].
>  A string of 15 diceware words is often more than 64 characters.

I can't tell for gpg specifically but it's not so much about
"characters". It's about entropy. Natural language is redundant, and
diceware uses words from natural language.

Let's say we all adopted the convention to write every character twice,
to recover from errors in transmission. Is ttrraannssmmiissssiioonn any
more secure than transmission, given that an attacker knows you're
doubling every letter? No, because it doesn't have more entropy.

So don't measure characters, your upper bound is entropy, so 20 diceware
words apparently contain 256 bits of entropy (based on your numbers).
That means any more than 20 words isn't going to add for the case of

Like I said, this is not gpg-specific. For all I know, gpg might cut off
after the 64th character and drop entropy from your passphrase. But that
sounds unlikely.

Wikipedia is great for further reading.

PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
No situation is so dire that panic cannot make it worse.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 878 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20111227/78bf1f32/attachment.pgp>

More information about the Gnupg-users mailing list