GPG keys for multiple email accounts
Jerry
jerry at seibercom.net
Sun Jul 7 23:41:43 CEST 2013
On Sun, 07 Jul 2013 17:19:02 -0400
Robert J. Hansen articulated:
> On 07/07/2013 01:02 PM, Heinz Diehl wrote:
> > This very much depends on how important the encrypted information is
> > considered to be.
>
> Find me some verifiable instance of OpenPGP passphrases being
> brute-forced and I'll take this seriously. Until then, I will
> continue to treat brute-forcing as the myth I'm almost certain it
> is. I like to assume an attacker is at least as smart as I am. If
> I'm smart enough to see that brute-forcing has really bad odds of
> success, why would I waste time when there are so many better avenues
> of attack available?
>
> I need your secret key and passphrase I'd start by hiring a
> thousand-dollar-a-night hooker for a week and point her in your
> direction, with a $5,000 bonus if she's able to get your key and
> passphrase without you noticing. Simple, cheap and effective. I
> might have her plant a keylogger while she's in your bedroom. Or I
> might try and nab you via a carefully-prepared spearphish, or get you
> on a drive-by as you surf the web, or... etc., etc.
>
> It makes absolutely no sense to brute-force a passphrase when it's so
> easy to compromise the communication endpoint. That's where the real
> work lies -- not in talk about making something resistant to
> brute-forcing.
>
> >> Further, who cares if the number of bits in different parts of the
> >> system aren't balanced?
> >
> > For some ciphers (incl. AES), a smaller key size means
> > "faster".
>
> This is irrelevant to the discussion. If a cipher isn't fast enough
> for your purposes then don't choose it. It has nothing to do with
> whether the entropy in a system is "balanced".
I worked for several years for a group that's specific job was to find
security holes in organizations. "Social Engineering" is responsible
for over 90% of all leaked data. All other method combined resulted in
the other 10%. However, other methods such as brute force or hacking
threats were easily detected as compared to the more subtle methods
used in a well planned "social scheme". Many users were not even aware
that they had been taken and usually were to ashamed to admit they were
even when it was revealed to them.
--
Jerry ♔
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__________________________________________________________________
More information about the Gnupg-users
mailing list