Entropy checkers only provide an *estimate* of randomness, at best an upper bound. Once you know that someone has used a particular key expansion algorithm, the entropy estimate can go down dramatically. This is because randomness is a measure of ignorance, and new information changes the calculation (cf the Monty Hall problem).
Andrew Gallagher > On 8 Jul 2020, at 11:53, Stefan Claas <s...@300baud.de> wrote: > > Ingo Klöcker wrote: > >>> On Dienstag, 7. Juli 2020 22:42:07 CEST Stefan Claas wrote: >>> Let's say you travel a lot and do not want to risk that your secret key >>> gets compromised due to border control etc. >>> >>> One simply uses the program passphrase2pgp, from GitHub[1] and when creating >>> the key and the passphrase is needed, one simply issues: >>> >>> echo -n 'simple password' | openssl dgst -sha256 -binary | base91 or base64 >>> and then one gets a string with an entropy of over 200, which is more than >>> secure. This would one IMHO allow to have a strong passphrase but generated >>> with an easy to remember password. >> >> I'm sorry, but you cannot increase the entropy of "simple password" by >> hashing >> it. What you propose is "security by obscurity". And that was never a good >> idea. > > Well, if I use a simple password like: 'Holidays Day 1' and run it through: > > http://rumkin.com/tools/password/passchk.php for example > > it gives an entropy of 62.6 bits. > > If I use now this simple password and run it through my program the result is: > > e|}]2$8$lI#:#h%|$}ody&qD6h#$RT;$L4^qm??D (sha256+base91) > > and > > C9+v21t+2y8atf5y+Yj/TqHenVC//q20WbjzM+jtcLA= (sha256+base64) > > which gives an entropy of 192.3 and 234.2. > > Regards > Stefan > > -- > my 'hidden' service gopherhole: > gopher://iria2xobffovwr6h.onion > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users