Limit of maximum password length

jv at jv at
Sat Oct 27 09:58:04 CEST 2012

I thought that during new key generation event I have to utilize system, 
keyboard etc all the time, I see that I was wrong. Thanks for all 
answers, they are really helpful.
On 10/27/2012 9:54 AM, Robert J. Hansen wrote:
> On 10/27/2012 1:58 AM, jv at wrote:
>> Well, I knew that there is a limit somewhere, but you know, having a
>> passphrase longer than 1024 and not longer lets say than 2048 chars
>> should not be a limit on 2012, don't you think so ? :)
> No, I don't.  I think that using passphrases longer than about 80
> characters shows you don't understand the problem.  :)
>> To answer to your question about why I need so long psw is simple, the
>> paranoia :)
> A 1024-character passphrase is so long I doubt you could memorize it
> (unless you were to use the full text of some well-known poem, and in
> that case it would be a poor passphrase).  That means you've got it on a
> file somewhere and enter it via cut-and-paste.  That means instead of
> safeguarding just your private key, you now need to safeguard your
> private key, the file that contains your passphrase, and the OS calls
> that implement C&P functionality.  This is a much, much weaker system
> than if you were to use a "normal" passphrase.
> Being too paranoid is just as bad, and maybe even worse, than not being
> paranoid enough.
>> By the way, you mentioned "105 characters and at least 158 bits of
>> entropy", how do you control entropy when generating password ? And is
>> it safe to use external entropy generator, say like rng tools ?
> You control the entropy by coming to an informed estimate of how much
> entropy is present per glyph of text.  Claude Shannon and others did
> groundbreaking work in this field, and came up with numbers generally
> falling around 2 bits per glyph.  Subtracting a bit to be on the side of
> safety gives us 1.5 bits per glyph.
> Alternately, you can do something like this:
> ===
> rjh at flynn:~$ gpg --armor --gen-random 2 16
> 5FNsIpmx8UYa8lz/qWYEag==
> ===
> That "5FNsIpmx..." is an example of a 128-bit passphrase.  That's the
> gold standard for passphrases.
> I'm not going to comment on external entropy generators.  I don't know
> your particular situation, and that means I can't tell you what makes
> sense for your particular needs.  Telling you a 1024+-character
> passphrase doesn't make sense for your needs is one thing -- telling you
> what makes sense for your needs is something else altogether.

More information about the Gnupg-users mailing list