Limit of maximum password length

Robert J. Hansen rjh at
Sat Oct 27 08:54:09 CEST 2012

On 10/27/2012 1:58 AM, jv at wrote:
> Well, I knew that there is a limit somewhere, but you know, having a
> passphrase longer than 1024 and not longer lets say than 2048 chars
> should not be a limit on 2012, don't you think so ? :)

No, I don't.  I think that using passphrases longer than about 80
characters shows you don't understand the problem.  :)

> To answer to your question about why I need so long psw is simple, the
> paranoia :)

A 1024-character passphrase is so long I doubt you could memorize it
(unless you were to use the full text of some well-known poem, and in
that case it would be a poor passphrase).  That means you've got it on a
file somewhere and enter it via cut-and-paste.  That means instead of
safeguarding just your private key, you now need to safeguard your
private key, the file that contains your passphrase, and the OS calls
that implement C&P functionality.  This is a much, much weaker system
than if you were to use a "normal" passphrase.

Being too paranoid is just as bad, and maybe even worse, than not being
paranoid enough.

> By the way, you mentioned "105 characters and at least 158 bits of
> entropy", how do you control entropy when generating password ? And is
> it safe to use external entropy generator, say like rng tools ?

You control the entropy by coming to an informed estimate of how much
entropy is present per glyph of text.  Claude Shannon and others did
groundbreaking work in this field, and came up with numbers generally
falling around 2 bits per glyph.  Subtracting a bit to be on the side of
safety gives us 1.5 bits per glyph.

Alternately, you can do something like this:

rjh at flynn:~$ gpg --armor --gen-random 2 16

That "5FNsIpmx..." is an example of a 128-bit passphrase.  That's the
gold standard for passphrases.

I'm not going to comment on external entropy generators.  I don't know
your particular situation, and that means I can't tell you what makes
sense for your particular needs.  Telling you a 1024+-character
passphrase doesn't make sense for your needs is one thing -- telling you
what makes sense for your needs is something else altogether.

More information about the Gnupg-users mailing list