The thing is, if you can't remember a string of random words, are you likely to 
remember a string 20 random letters, numbers, and characters?  Generally, if 
your non-randomly-generated password is easy for you to remember, it's also 
easy for a computer to guess.  Diceware is the attempt to make something easy 
as possible to remember while still being truly high-entropy.  If you're really 
paranoid you don't use the javascript program to generator your random phrases, 
you buy an EFF book and roll some casino dice.  The entropy comes from the dice 
and so is verifiable.  


Probably the best PGP key passphrase would be to have some sort of high 
security locally stored password manager like KeepassXC, encrypt that password 
database with a good long diceware passphrase that you train yourself to 
remember, and then have that program generate some random 30 or 40 character 
gibberish passwords to copypasta into PGP when it asks.  While you're at it, 
use that to create different random passwords for every site and service you 
use.


-Ryan McGinnis
http://www.bigstormpicture.com
Sent via ProtonMail

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, July 8, 2020 2:40 PM, Stefan Claas <s...@300baud.de> wrote:

> Ryan McGinnis via Gnupg-users wrote:
> 

> > Went to a security seminar where I asked a random FBI agent after a 
> > presentation about passwords; he said just to get into
> > their personal terminals it was something like 17 characters minimum and 
> > that the passwords were randomly generated letters
> > and numbers and symbols and that they were changed fairly often. If you're 
> > trying to protect something from offline brute
> > forcing and the password is the weak point, you're probably best off coming 
> > up with a really long randomly generated diceware
> > phrase (7 words ought to be safe) https://www.rempe.us/diceware/#eff.
> 

> Thanks for the info! Regarding diceware, I looked into it long ago, but must 
> admit I am not good at remembering many word
> sequences, for many strong passwords, even if diceware words are easy once.
> 

> Regards
> Stefan
> 

> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 

> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to