Fwd: The GnuPR FAQ

vedaal at nym.hush.com vedaal at nym.hush.com
Tue May 12 01:00:19 CEST 2020

On 5/11/2020 at 6:15 PM, "Robert J. Hansen" <rjh at sixdemonbag.org> wrote:
>This arrived in my inbox: I'm presenting it here without comment.  
>response will be following in a moment.
>-------- Forwarded Message --------
>Subject: 	The GnuPR FAQ
>Date: 	Mon, 11 May 2020 14:19:07 -0600
>From: 	James Long <crogonint at gmail.com>
>To: 	rjh at sixdemonbag.org
>You've advised people to use a HORRIBLE practice of using 
>dictionary words solely for their password. I tested this theory myself back 
>in the day, so I can 100% guaranty you of this fact: A brute force 
>dictionary based attack can crack a password like that in LESS THAN 5 

How many words were in your passphrase??

Here is some data on the Diceware list:

The Diceware list has only 7776 words.   A complete dictionary has almost 2 orders of magnitude more.

"Webster's Third New International Dictionary, Unabridged, together with its 1993 Addenda Section, includes some 470,000 entries. The Oxford English Dictionary, Second Edition, reports that it includes a similar number."

10 diceware words provides a greater Brute Force space, than 2^128 (a gnupg session key for older defaults of CAST-5)
(  7776^10 = 8.08x10^38        2^128 = 3.40×10^38  )

20 Diceware words  provides a greater Brute Force space, than 2^256
(  7776^20 =  6.53×10^77         2^256 =1.157×10^77  )

Even using only English words greater than 5 letters and unrelated to each other, an extremely low-bound estimate, would be 77760 words. (in reality, far greater, but let's use an example people would agree on).

So using 8 words chosen semi-randomly from a dictionary, 77760^8 = 1.336×10³⁹, still greater than a a 2^128 Brute Force Space.

So, not only is is NOT *horrible* advice, it should be enough for anyone's threat model.


More information about the Gnupg-users mailing list