Why revoke a key?
jerome+person at jeromebaum.com
Mon Oct 10 23:44:10 CEST 2011
On 2011-10-10 23:29, Jan Janka wrote:
> How long would it take to execute a successful brute force attack on
> a pasphrase consisting of 12 symbols (symbols available on common
Calculate how many combinations there are, assume some number of tries
per second (you can experimentally find this out), and there you go.
But remember Murphy's(?) law! -- (I mean the one about doubling computer
power every 18 months -- are there two Murphy's laws? Confused now...)
You can measure the strength of your password in bits of entropy, which
is basically the log base 2 of the number of combinations. So if there
are 64 possible combinations (a single alphanum case-sensitive
password-ish) then you have 6 bits of entropy. In the diceware FAQ at
www.diceware.com you can find info about how long a password with a
given number of bits is supposed to be secure. Also some tips on how to
pick a memorizable secure passphrase.
> If the attacker only got the passphrase and not the private key, I
> can simply change the passphrase to be secure again. Right? So I'd
> say my key is compromised if I think an attacker got BOTH, the
> passphrase AND the key.
Yes but remember the attacker might get at an old version of your key
that still used the old passphrase.
Q: What is your secret word?
A: That's right.
Q: What's right?
Q: Sir, you're going to have to tell me your secret word.
Q: I said please tell me your secret word.
Q: What's your secret word?
Q: Sorry, "yes" is not your secret word. You have two more chances.
A: I said what?
A: Right, so you admit I said it.
Q: No, you said "yes."
A: No, "what!"
A: When you asked for my secret word!
Q: I'm sorry, that's incorrect. You have one more chance to say your
A: I'd like to speak to your supervisor.
Q: Very well, I'll transfer you. His name is Hu.
More information about the Gnupg-users