Re: how to suppress new "insecure passphrase" warning
Alan Bram via Gnupg-users wrote: > I have been using gnupg for a few years now, with no change in the way I > invoke it. Recently (I guess my package manager updated to a new version: > 2.2.23) it started injecting a warning about "insecure passphrase" and > suggesting that I ought to include a digit or special character. > > I don't want to do that. I have a strong passphrase that was generated via > Diceware. It's simply a few words made of plain letters; but it's long > enough, and totally random. Stronger than a short, lame password that > someone simply appends a "1" to. > > Is there a way to suppress the annoying warning? I don't know, but you could report it as a bug in the package. If they are going to introduce such a warning, the logic should be evidence-based, and I bet it isn't. I once read a great article (on an Mozilla or OWASP site) about the fact that the ancient corporate advice of using a password that is at least eight characters long, with at least three character classes (i.e. upper case, lower case, punctuation and digits), was harmful because humans all think very similarly, and we all come up with passwords that look the same, like "Password1". Being forced to change passwords for no reason every 90 days just means we all use "Winter2019", "Autumn2019", etc. So penetration testers have done the stats on cracked passwords and come up with a list of the top 100 password patterns that mean that you can dramatically reduce the search space when cracking passwords and crack about 95% of supposedly strong passwords. The top pattern covers about 12% of passwords. Here's a URL on the topic (but not the one I first read): https://blog.rapid7.com/2018/06/12/password-tips-from-a-pen-tester-common-patterns-exposed/ So the original advice wasn't evidence-based, and even FIPS have adandoned it and have started recommending long passphrases. Diceware passwords are brilliant, and any system that complains that they are aren't secure is an embarrassment. I hate being told by websites that my 50 character passphrase isn't secure enough, even more so when it meets all of their stated password requirements (i.e. they don't mention the fact that they don't accept space characters as a special character - grr). cheers, raf P.S. Of course you could make a local copy of the binary and replace the first character of the warning with a nul byte. That should fix it. :-) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which keyserver
On 2020-09-17 at 22:57 +0200, Martin wrote: > Which keyserver do you recommend these days? For what purpose? For receiving updates to previously known keys, of people who care enough about their keys to distribute their keys across multiple keyservers instead of just going "I pushed it to the keyservers, that's it, I don't care", hkps://keys.openpgp.org is probably the most reasonable choice. There's no choice for general purpose, and "running a keysigning party" or "finding someone's key from their fingerprint" which works well today. If publishing keys, I do recommend setting up WKD for your domain, which helps a little. And heck, I run a finger daemon written in Go for a true blast from the past. :) is in the UK, run from the same University bunch of folks as gave us PuTTY and has been around receiving keys from the SKS keyservers via email for ages, so tends to be "fairly well populated", so is where I try next after openpgp.org. After that I hit old SKS keyservers which usually seem to work, whether or not these entries are in the pools and _current_, since they'll at least get me some of a key; the pool hostnames haven't been worth trying the last several times I checked, too many bad servers. hkps://keyserver.ubuntu.com hkps://zimmermann.mayfirst.org hkp://keys2.kfwebs.net hkps://pgp.mit.edu The kfwebs and pgp.mit.edu servers appear to not be working right now, which leaves us with Ubuntu's and Dan Gillmor's (DKG's) mayfirst.org server. You can still look over https://sks-keyservers.net/status/ to see if there are any working there, if the pool hostnames are broken for you at the time you check. The status list for the servers not in the pools will show you how far "behind" they are. -Phil ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Which keyserver
Martin wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Hi list > > Which keyserver do you recommend these days? > > I have hkps://keys.openpgp.org in gpg.conf - but it seems that there > are missing a lot of public keys on this server. Hi, good question ... I like https://keys.mailvelope.com/ best, because it only allows publishing your pub key if you decrypt their reply with your secret key and as bonus it keeps your collected WoT sigs, in case you need the classical WoT signatures, or CA sigs, like from Governikus etc. Unfortunately gpg.conf, IIRC, allows only defining one key server and many people still use SKS key servers. Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Which keyserver
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi list Which keyserver do you recommend these days? I have hkps://keys.openpgp.org in gpg.conf - but it seems that there are missing a lot of public keys on this server. - -- Best regards, Martin -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEE92uV/w2x7WB1p4XLsdyR185C444FAl9jzeAACgkQsdyR185C 444yaAgAgoj2wlUFhclr4nr/PeRu9LXHWR4IAbI7UvfmNEk2PcJVveIYHXrRQqdq AOzxOv+HCzxz5RN9TIiQjLnqcyJlzQpZd6BIFRizr7ZMXEjtSS0oM/u0zevypcae 8L/uhFHgqp3KzYU7njz17k08JVGGTcOBhdGwICa+jlxc4L2y7eZhkFHoFFUxAPwc xegbJOQKRLZhlLbvSsiFUc5x4uvxesA4ivqFNHWk336XHqdtUOG2tFr6i+hJF3Qc d6b3g5psigQycr5l2NVQbsHHR0ie6KlX0/KJM9hZmpvPL3yEo4YhdWaeOAABU+AS J+VEervsa2vRod5euFtPisS+EM2Z5g== =d3Cq -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to suppress new "insecure passphrase" warning
On Thu, Sep 17, 2020 at 10:52 AM Alan Bram wrote: > On Thu, Sep 17, 2020 at 8:56 AM Phil Pennock > wrote: > >> >> Set min-passphrase-nonalpha in ~/.gnupg/gpg-agent.conf -- the default is >> 1, but I think that you can set it to 0. >> > > I tried that, but it doesn't seem to have any effect. > D'oh! Sorry! It is working after all. I didn't realize that the `gpg2` command was starting the agent automatically. And I didn't realize that when I first tried changing the configuration, there was an already-running agent that I had to kill first in order to get it to reread the config. It's all working great now. Thank you so much! And sorry for the bad info previously. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to suppress new "insecure passphrase" warning
On Thu, Sep 17, 2020 at 8:56 AM Phil Pennock wrote: > > Set min-passphrase-nonalpha in ~/.gnupg/gpg-agent.conf -- the default is > 1, but I think that you can set it to 0. > I tried that, but it doesn't seem to have any effect. Then, as an experiment, I tried setting it to 2, and observed that including just 1 digit in the passphrase resulted in no warning (again suggesting that the setting was not having any effect). But I don't even think I'm using the agent (unless I misunderstand): I'm simply running a command like the following: gpg2 --output *outputfilename* --symmetric *inputfilename* and waiting for the program to prompt me to enter the passphrase each time. Sorry, I should have made that clear. (Thank you for your quick responses.) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to suppress new "insecure passphrase" warning
On Wed, 16 Sep 2020 15:03, Alan Bram said: > I have been using gnupg for a few years now, with no change in the way I > invoke it. Recently (I guess my package manager updated to a new version: > 2.2.23) it started injecting a warning about "insecure passphrase" and > suggesting that I ought to include a digit or special character. Please check your configuration in gpg-agent.conf. Is there a min-passphrase-nonalpha option set? Note that some external software may have modified your configuration. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to suppress new "insecure passphrase" warning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Ryan, Thursday, September 17, 2020, 4:42:24 PM, you wrote: > -Ryan McGinnis > http://www.bigstormpicture.com > PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD BTW your public key is not on keys.openpgp.org - -- Best regards, Martin -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEE92uV/w2x7WB1p4XLsdyR185C444FAl9jgAcACgkQsdyR185C 445wzwf/QiBWBkH9UW6jzh7vbFbENQG39dBZTpK5TmG0BwRsdq72y4ccGpaCfZM9 02xSMeQ8ajPJ8luBH2cYHK+iBOQLlztl9yYj1crTYE+B0LBLWUMNlaH/OlduKUy7 1trJCpDVRljtFx5p3zqXiB5zP95R567e9UWXDGlpBPqj4BzhBseQGh4zNRdOGULI 4iCo2t1fhy4X5D32yhIEbP3nrTh9O4SpwYdSc0cL3jX+7KfdFqn+FQ0RgE69AFhZ 4yZ4iqA4H75oE6Hlsflg9nrQvL6BV63004FdIxRVYVsMEOMDqvGWwp8xYIibvJnO wPoKLy2OtHi77e8Out9G5bcngUwhxA== =8K8V -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to suppress new "insecure passphrase" warning
On 2020-09-16 at 15:03 -0700, Alan Bram via Gnupg-users wrote: > I have been using gnupg for a few years now, with no change in the way I > invoke it. Recently (I guess my package manager updated to a new version: > 2.2.23) it started injecting a warning about "insecure passphrase" and > suggesting that I ought to include a digit or special character. > > I don't want to do that. I have a strong passphrase that was generated via > Diceware. It's simply a few words made of plain letters; but it's long > enough, and totally random. Stronger than a short, lame password that > someone simply appends a "1" to. > > Is there a way to suppress the annoying warning? Set min-passphrase-nonalpha in ~/.gnupg/gpg-agent.conf -- the default is 1, but I think that you can set it to 0. Also make sure that you haven't set check-passphrase-pattern to point to a dictionary -- a common security pattern for 8-12 "random" character passwords but unlikely to be helpful with a diceware approach. There are other relevant options in the gpg-agent man-page in the area around those options, worth reviewing. -Phil ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to suppress new "insecure passphrase" warning
Stop. Unsubscribe Sent from Yahoo Mail on Android On Thu, Sep 17, 2020 at 10:40 AM, Stefan Claas wrote: Alan Bram via Gnupg-users wrote: > I have been using gnupg for a few years now, with no change in the way I > invoke it. Recently (I guess my package manager updated to a new version: > 2.2.23) it started injecting a warning about "insecure passphrase" and > suggesting that I ought to include a digit or special character. > > I don't want to do that. I have a strong passphrase that was generated via > Diceware. It's simply a few words made of plain letters; but it's long > enough, and totally random. Stronger than a short, lame password that > someone simply appends a "1" to. > > Is there a way to suppress the annoying warning? I have a simple PIN (14 numerical chars) for my smart card and don't get the warning. Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to suppress new "insecure passphrase" warning
Wonder if someone saw this email and uploaded it -- it shows up when I search! :) Best, -Ryan McGinnis http://www.bigstormpicture.com PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD ‐‐‐ Original Message ‐‐‐ On Thursday, September 17, 2020 10:25 AM, Martin wrote: > Hello Ryan, > > Thursday, September 17, 2020, 4:42:24 PM, you wrote: > > > -Ryan McGinnis > > http://www.bigstormpicture.com > > PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD > > BTW your public key is not onkeys.openpgp.org > > > > Best regards, > Martin signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to suppress new "insecure passphrase" warning
Alan Bram via Gnupg-users wrote: > I have been using gnupg for a few years now, with no change in the way I > invoke it. Recently (I guess my package manager updated to a new version: > 2.2.23) it started injecting a warning about "insecure passphrase" and > suggesting that I ought to include a digit or special character. > > I don't want to do that. I have a strong passphrase that was generated via > Diceware. It's simply a few words made of plain letters; but it's long > enough, and totally random. Stronger than a short, lame password that > someone simply appends a "1" to. > > Is there a way to suppress the annoying warning? I have a simple PIN (14 numerical chars) for my smart card and don't get the warning. Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to suppress new "insecure passphrase" warning
(BTW -- not to be pedantic, but if by "a few" words you mean "three", then you don't have a good passphrase -- six words is kinda minimum with diceware to get a decent amount of entropy) -Ryan McGinnis http://www.bigstormpicture.com PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD ‐‐‐ Original Message ‐‐‐ On Wednesday, September 16, 2020 5:03 PM, Alan Bram via Gnupg-users wrote: > I have been using gnupg for a few years now, with no change in the way I > invoke it. Recently (I guess my package manager updated to a new version: > 2.2.23) it started injecting a warning about "insecure passphrase" and > suggesting that I ought to include a digit or special character. > > I don't want to do that. I have a strong passphrase that was generated via > Diceware. It's simply a few words made of plain letters; but it's long > enough, and totally random. Stronger than a short, lame password that someone > simply appends a "1" to. > > Is there a way to suppress the annoying warning? signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
how to suppress new "insecure passphrase" warning
I have been using gnupg for a few years now, with no change in the way I invoke it. Recently (I guess my package manager updated to a new version: 2.2.23) it started injecting a warning about "insecure passphrase" and suggesting that I ought to include a digit or special character. I don't want to do that. I have a strong passphrase that was generated via Diceware. It's simply a few words made of plain letters; but it's long enough, and totally random. Stronger than a short, lame password that someone simply appends a "1" to. Is there a way to suppress the annoying warning? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
