how to suppress new "insecure passphrase" warning

raf gnupg at raf.org
Fri Sep 18 03:04:34 CEST 2020


Alan Bram via Gnupg-users wrote:
 
> I have been using gnupg for a few years now, with no change in the way I
> invoke it. Recently (I guess my package manager updated to a new version:
> 2.2.23) it started injecting a warning about "insecure passphrase" and
> suggesting that I ought to include a digit or special character.
> 
> I don't want to do that. I have a strong passphrase that was generated via
> Diceware. It's simply a few words made of plain letters; but it's long
> enough, and totally random. Stronger than a short, lame password that
> someone simply appends a "1" to.
> 
> Is there a way to suppress the annoying warning?

I don't know, but you could report it as a bug in the
package. If they are going to introduce such a warning,
the logic should be evidence-based, and I bet it isn't.

I once read a great article (on an Mozilla or OWASP
site) about the fact that the ancient corporate advice
of using a password that is at least eight characters
long, with at least three character classes (i.e. upper
case, lower case, punctuation and digits), was harmful
because humans all think very similarly, and we all
come up with passwords that look the same, like
"Password1". Being forced to change passwords for no
reason every 90 days just means we all use
"Winter2019", "Autumn2019", etc.

So penetration testers have done the stats on cracked
passwords and come up with a list of the top 100
password patterns that mean that you can dramatically
reduce the search space when cracking passwords and
crack about 95% of supposedly strong passwords. The top
pattern covers about 12% of passwords.

Here's a URL on the topic (but not the one I first
read):

  https://blog.rapid7.com/2018/06/12/password-tips-from-a-pen-tester-common-patterns-exposed/

So the original advice wasn't evidence-based, and even
FIPS have adandoned it and have started recommending
long passphrases. Diceware passwords are brilliant, and
any system that complains that they are aren't secure
is an embarrassment.

I hate being told by websites that my 50 character
passphrase isn't secure enough, even more so when it
meets all of their stated password requirements (i.e.
they don't mention the fact that they don't accept
space characters as a special character - grr).

cheers,
raf

P.S. Of course you could make a local copy of the binary
and replace the first character of the warning with a
nul byte. That should fix it. :-)




More information about the Gnupg-users mailing list