GPG keys for multiple email accounts

Robert J. Hansen rjh at
Sun Jul 7 23:19:02 CEST 2013

On 07/07/2013 01:02 PM, Heinz Diehl wrote:
> This very much depends on how important the encrypted information is
> considered to be.

Find me some verifiable instance of OpenPGP passphrases being
brute-forced and I'll take this seriously.  Until then, I will continue
to treat brute-forcing as the myth I'm almost certain it is.  I like to
assume an attacker is at least as smart as I am.  If I'm smart enough to
see that brute-forcing has really bad odds of success, why would I waste
time when there are so many better avenues of attack available?

I need your secret key and passphrase I'd start by hiring a
thousand-dollar-a-night hooker for a week and point her in your
direction, with a $5,000 bonus if she's able to get your key and
passphrase without you noticing.  Simple, cheap and effective.  I might
have her plant a keylogger while she's in your bedroom.  Or I might try
and nab you via a carefully-prepared spearphish, or get you on a
drive-by as you surf the web, or... etc., etc.

It makes absolutely no sense to brute-force a passphrase when it's so
easy to compromise the communication endpoint.  That's where the real
work lies -- not in talk about making something resistant to brute-forcing.

>> Further, who cares if the number of bits in different parts of the
>> system aren't balanced?
> For some ciphers (incl. AES), a smaller key size means
> "faster".

This is irrelevant to the discussion.  If a cipher isn't fast enough for
your purposes then don't choose it.  It has nothing to do with whether
the entropy in a system is "balanced".

More information about the Gnupg-users mailing list