Fwd: The GnuPR FAQ

raf gnupg at raf.org
Tue May 12 02:52:29 CEST 2020 

vedaal via Gnupg-users wrote:

> On 5/11/2020 at 6:15 PM, "Robert J. Hansen" <rjh at sixdemonbag.org> wrote:
> >
> >This arrived in my inbox: I'm presenting it here without comment.  
> >My
> >response will be following in a moment.
> >
> >
> >-------- Forwarded Message --------
> >Subject: 	The GnuPR FAQ
> >Date: 	Mon, 11 May 2020 14:19:07 -0600
> >From: 	James Long <crogonint at gmail.com>
> >To: 	rjh at sixdemonbag.org
> -----
> >You've advised people to use a HORRIBLE practice of using 
> >dictionary words solely for their password. I tested this theory myself back 
> >in the day, so I can 100% guaranty you of this fact: A brute force 
> >dictionary based attack can crack a password like that in LESS THAN 5 
> >minutes!! 
> 
> =====
> How many words were in your passphrase??
> 
> Here is some data on the Diceware list:
> https://theworld.com/~reinhold/diceware.html
> 
> The Diceware list has only 7776 words.   A complete dictionary has almost 2 orders of magnitude more.
> 
> "Webster's Third New International Dictionary, Unabridged, together with its 1993 Addenda Section, includes some 470,000 entries. The Oxford English Dictionary, Second Edition, reports that it includes a similar number."
> https://www.merriam-webster.com/help/faq-how-many-english-words
> 
> 10 diceware words provides a greater Brute Force space, than 2^128 (a gnupg session key for older defaults of CAST-5)
> (  7776^10 = 8.08x10^38        2^128 = 3.40×10^38  )
> 
> 20 Diceware words  provides a greater Brute Force space, than 2^256
> (  7776^20 =  6.53×10^77         2^256 =1.157×10^77  )
> 
> Even using only English words greater than 5 letters and unrelated to each other, an extremely low-bound estimate, would be 77760 words. (in reality, far greater, but let's use an example people would agree on).
> 
> So using 8 words chosen semi-randomly from a dictionary, 77760^8 = 1.336×10³⁹, still greater than a a 2^128 Brute Force Space.
> 
> So, not only is is NOT *horrible* advice, it should be enough for anyone's threat model.

I can only assume that James must have thought that a
*single* dictionary word was what was meant, not a large
number of randomly-chosen dictionary words. I love
diceware passwords. Sometimes you even get lucky and
generate a funny one.

> vedaal
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

More information about the Gnupg-users mailing list