Re: Enforcing password complexity for private keys
Indeed it’s specified in the OpenPGP card specs. I have my answers Thanks David > On Apr 30, 2019, at 14:13, Juergen Bruckner wrote: > > Well I may be (partly) wrong, but I guess a 6digit PIN-Code on the > GnuPG-Card may be complex enough for the most security settings. > > my2c > Juergen > >> Am 30.04.19 um 19:40 schrieb David Milet: >> Yes, we’re considering using smart cards or usb devices like Yubikey. >> Do those enforce password complexity? >> >> To answer suggestions in other replies, our developers are savvy enough, and >> we do have recurring training in place to stress the importance of good >> passwords. But we know also that some developers will choose the weakest >> password the system allows, making them the weakest link. >> >>> On Apr 30, 2019, at 13:21, Juergen Bruckner wrote: >>> >>> Hello David, >>> >>> have you ever thought about using SmartCards? >>> GnuPG has a built in SmartCard service. >>> >>> regards >>> Juergen >>> >>>> Am 30.04.19 um 12:55 schrieb David Milet: >>>> Hello >>>> >>>> We’re considering rolling out GnuPG at work for developers to sign git >>>> commits. >>>> How can we prevent developers from choosing a trivial password? >>>> >>>> Is there a way for GnuPG to enforce some password complexity on the >>>> private keys? >>>> >>>> Is that something that a Yubikey could do? >>>> >>>> Many thanks! >>>> David >>>> ___ >>>> Gnupg-users mailing list >>>> Gnupg-users@gnupg.org >>>> http://lists.gnupg.org/mailman/listinfo/gnupg-users >>>> >>> >>> -- >>> Juergen M. Bruckner >>> juer...@bruckner.tk >>> >>> ___ >>> Gnupg-users mailing list >>> Gnupg-users@gnupg.org >>> http://lists.gnupg.org/mailman/listinfo/gnupg-users >> >> ___ >> Gnupg-users mailing list >> Gnupg-users@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users >> > > -- > Juergen M. Bruckner > juer...@bruckner.tk > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Enforcing password complexity for private keys
Believe me we have long and passionate discussions about passwords length and complexity. The question in my post is purely technical. > On Apr 30, 2019, at 13:51, Michał Górny wrote: > >> On Tue, 2019-04-30 at 13:40 -0400, David Milet wrote: >> Yes, we’re considering using smart cards or usb devices like Yubikey. >> Do those enforce password complexity? >> >> To answer suggestions in other replies, our developers are savvy enough, and >> we do have recurring training in place to stress the importance of good >> passwords. But we know also that some developers will choose the weakest >> password the system allows, making them the weakest link. >> > > I dare say trying to enforce strong passwords via policy is usually > a bad idea. If you can't convince user to use and remember a good > password, trying to force it via policy usually results either in: > > a. passwords being noted down on paper, phone, etc., or > > b. passwords becoming more predictable. > > I can't know whether your users would actually do that but it's not > uncommon problem that e.g. if you require password containing one digit > and one special character, you replace trivial passwords with trivial > passwords followed by '1!'. > > -- > Best regards, > Michał Górny > > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Enforcing password complexity for private keys
Yes, we’re considering using smart cards or usb devices like Yubikey. Do those enforce password complexity? To answer suggestions in other replies, our developers are savvy enough, and we do have recurring training in place to stress the importance of good passwords. But we know also that some developers will choose the weakest password the system allows, making them the weakest link. > On Apr 30, 2019, at 13:21, Juergen Bruckner wrote: > > Hello David, > > have you ever thought about using SmartCards? > GnuPG has a built in SmartCard service. > > regards > Juergen > >> Am 30.04.19 um 12:55 schrieb David Milet: >> Hello >> >> We’re considering rolling out GnuPG at work for developers to sign git >> commits. >> How can we prevent developers from choosing a trivial password? >> >> Is there a way for GnuPG to enforce some password complexity on the private >> keys? >> >> Is that something that a Yubikey could do? >> >> Many thanks! >> David >> ___ >> Gnupg-users mailing list >> Gnupg-users@gnupg.org >> http://lists.gnupg.org/mailman/listinfo/gnupg-users >> > > -- > Juergen M. Bruckner > juer...@bruckner.tk > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Enforcing password complexity for private keys
Hello We’re considering rolling out GnuPG at work for developers to sign git commits. How can we prevent developers from choosing a trivial password? Is there a way for GnuPG to enforce some password complexity on the private keys? Is that something that a Yubikey could do? Many thanks! David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users