Why revoke a key?

Jerome Baum jerome+person at jeromebaum.com
Mon Oct 10 23:44:10 CEST 2011

On 2011-10-10 23:29, Jan Janka wrote:
> How long would it take to execute a successful brute force attack on
> a pasphrase consisting of 12 symbols (symbols available on common
> keyboards)?

Calculate how many combinations there are, assume some number of tries
per second (you can experimentally find this out), and there you go.

But remember Murphy's(?) law! -- (I mean the one about doubling computer
power every 18 months -- are there two Murphy's laws? Confused now...)

You can measure the strength of your password in bits of entropy, which
is basically the log base 2 of the number of combinations. So if there
are 64 possible combinations (a single alphanum case-sensitive
password-ish) then you have 6 bits of entropy. In the diceware FAQ at
www.diceware.com you can find info about how long a password with a
given number of bits is supposed to be secure. Also some tips on how to
pick a memorizable secure passphrase.

> If the attacker only got the passphrase and not the private key, I
> can simply change the passphrase to be secure again. Right? So I'd
> say my key is compromised if I think an attacker got BOTH, the
> passphrase AND the key.

Yes but remember the attacker might get at an old version of your key
that still used the old passphrase.

Q: What is your secret word?
A: That's right.
Q: What's right?
A: Yes.
Q: Sir, you're going to have to tell me your secret word.
A: What?
Q: I said please tell me your secret word.
A: What?
Q: What's your secret word?
A: Yes.
Q: Sorry, "yes" is not your secret word. You have two more chances.
A: I said what?
Q: Yes.
A: Right, so you admit I said it.
Q: No, you said "yes."
A: No, "what!"
Q: When?
A: When you asked for my secret word!
Q: What?
A: Yes!
Q: I'm sorry, that's incorrect. You have one more chance to say your
secret word.
A: I'd like to speak to your supervisor.
Q: Very well, I'll transfer you. His name is Hu.


More information about the Gnupg-users mailing list