Robert J. Hansen rjh at
Tue May 12 00:13:11 CEST 2020

> This was back in the Pentium II days!! Processors these days could
> likely crack a dictionary based password in a matter of seconds. 

Tell you what: try it.  :)

If you choose only from the thousand most-common English words (a
keyspace of about 2^10), a six-word passphrase gives a work factor of
2^60.  The key derivation function means you're spending at least 2^-10
seconds for each attempt, which means you've got 50/50 odds of breaking
the passphrase after 2^49 seconds -- or about 18 million years.

A four-word passphrase could be broken after 2^29 seconds, or about 17

It's parallelizable, of course, if you want to rent out 18 million AWS
instances.  But at present, the sense of the community is that the FAQ
advice, which gives people between 17 years and 18 million years of
resistance to a brute-force attack, is sufficient.

> I'm sorry, but that particular bit of advise is terrible and needs to be
> changed.

I have forwarded your criticism on to the community and invited them to
give their own feedback.  The FAQ is the collective opinion of the
community, not just myself -- all I do is write the thing.  If the
community concurs with your sentiments, I'll change the text.

> If you guys accept public assistance, I could go through the
> instruction / FAQ pages for you, update them, then submit them to you
> for approval.

We welcome any useful contributions.  :)

More information about the Gnupg-users mailing list