Traveling without a secret key

Ryan McGinnis ryan at digicana.com
Wed Jul 8 22:29:53 CEST 2020


The thing is, if you can't remember a string of random words, are you likely to remember a string 20 random letters, numbers, and characters?  Generally, if your non-randomly-generated password is easy for you to remember, it's also easy for a computer to guess.  Diceware is the attempt to make something easy as possible to remember while still being truly high-entropy.  If you're really paranoid you don't use the javascript program to generator your random phrases, you buy an EFF book and roll some casino dice.  The entropy comes from the dice and so is verifiable.  


Probably the best PGP key passphrase would be to have some sort of high security locally stored password manager like KeepassXC, encrypt that password database with a good long diceware passphrase that you train yourself to remember, and then have that program generate some random 30 or 40 character gibberish passwords to copypasta into PGP when it asks.  While you're at it, use that to create different random passwords for every site and service you use.


-Ryan McGinnis
http://www.bigstormpicture.com
Sent via ProtonMail

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, July 8, 2020 2:40 PM, Stefan Claas <sac at 300baud.de> wrote:

> Ryan McGinnis via Gnupg-users wrote:
> 

> > Went to a security seminar where I asked a random FBI agent after a presentation about passwords; he said just to get into
> > their personal terminals it was something like 17 characters minimum and that the passwords were randomly generated letters
> > and numbers and symbols and that they were changed fairly often. If you're trying to protect something from offline brute
> > forcing and the password is the weak point, you're probably best off coming up with a really long randomly generated diceware
> > phrase (7 words ought to be safe) https://www.rempe.us/diceware/#eff.
> 

> Thanks for the info! Regarding diceware, I looked into it long ago, but must admit I am not good at remembering many word
> sequences, for many strong passwords, even if diceware words are easy once.
> 

> Regards
> Stefan
> 

> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 

> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 823 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20200708/79d392e7/attachment.sig>


More information about the Gnupg-users mailing list