Fwd: The GnuPR FAQ
Robert J. Hansen rjh at sixdemonbag.org wrote on Tue May 12 16:41:09 CEST 2020: >You can get by just fine in most everyday English with a vocabulary of >5,000 words. Stick to those words and you'll have an easy-to-remember >passphrase. = That's absolutely correct, Horse! Battery Staple https://xkcd.com/936/ 8^) vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: The GnuPR FAQ
> Even using only English words greater than 5 letters and unrelated to > each other, an extremely low-bound estimate, would be 77760 words. > (in reality, far greater, but let's use an example people would agree > on). This is probably not the best metric. The length of the word is irrelevant: if one of your words is "zoo", that's no easier or harder to guess than "prolix" or "antediluvian". The words are all equally random. Much more important than length is memorability. "Coulrophobia" is a great word but I'd be looking up how to spell it all the time. You can get by just fine in most everyday English with a vocabulary of 5,000 words. Stick to those words and you'll have an easy-to-remember passphrase. Or, you know, learn coulrophobia, enhance your vocabulary, and get down with your clown-fearing self. It's up to you. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: The GnuPR FAQ
On 5/11/20 10:11 PM, Robert J. Hansen - r...@sixdemonbag.org wrote: This arrived in my inbox: I'm presenting it here without comment. You've advised people to use a HORRIBLE practice of using dictionary words solely for their password. I tested this theory myself back in the day, so I can 100% guaranty you of this fact: A brute force dictionary based attack can crack a password like that in LESS THAN 5 minutes!! I once stretched that out to 20 minutes by cleverly picking words that I already knew were at the opposite ends of the dictionary. In order to discuss the feasibility of brute forcing a set of a few random dictionary words, we would have to agree on a few numbers: 1) how many words in the passphrase 2) how many words in a dictionary 3) how many dictionaries 4) how many slightly different forms can average word of the dictionary take due to the declension, conjugation and noun/adjective gender matching. This happens to be an English-only language mailing list, but very few users of this program speak (only) English. It always surprises me how contributors native-language-centric some Internet discussions on a technical subject that transgresses language borders are. Overall, the original suggestion in the FAQ is perfectly valid, and all I would add is point out the benefit of (3) and (4) above. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: The GnuPR FAQ
vedaal via Gnupg-users wrote: > On 5/11/2020 at 6:15 PM, "Robert J. Hansen" wrote: > > > >This arrived in my inbox: I'm presenting it here without comment. > >My > >response will be following in a moment. > > > > > > Forwarded Message > >Subject: The GnuPR FAQ > >Date:Mon, 11 May 2020 14:19:07 -0600 > >From:James Long > >To: r...@sixdemonbag.org > - > >You've advised people to use a HORRIBLE practice of using > >dictionary words solely for their password. I tested this theory myself back > >in the day, so I can 100% guaranty you of this fact: A brute force > >dictionary based attack can crack a password like that in LESS THAN 5 > >minutes!! > > = > How many words were in your passphrase?? > > Here is some data on the Diceware list: > https://theworld.com/~reinhold/diceware.html > > The Diceware list has only 7776 words. A complete dictionary has almost 2 > orders of magnitude more. > > "Webster's Third New International Dictionary, Unabridged, together with its > 1993 Addenda Section, includes some 470,000 entries. The Oxford English > Dictionary, Second Edition, reports that it includes a similar number." > https://www.merriam-webster.com/help/faq-how-many-english-words > > 10 diceware words provides a greater Brute Force space, than 2^128 (a gnupg > session key for older defaults of CAST-5) > ( 7776^10 = 8.08x10^382^128 = 3.40×10^38 ) > > 20 Diceware words provides a greater Brute Force space, than 2^256 > ( 7776^20 = 6.53×10^77 2^256 =1.157×10^77 ) > > Even using only English words greater than 5 letters and unrelated to each > other, an extremely low-bound estimate, would be 77760 words. (in reality, > far greater, but let's use an example people would agree on). > > So using 8 words chosen semi-randomly from a dictionary, 77760^8 = > 1.336×10³⁹, still greater than a a 2^128 Brute Force Space. > > So, not only is is NOT *horrible* advice, it should be enough for anyone's > threat model. I can only assume that James must have thought that a *single* dictionary word was what was meant, not a large number of randomly-chosen dictionary words. I love diceware passwords. Sometimes you even get lucky and generate a funny one. > vedaal > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: The GnuPR FAQ
On 5/11/2020 at 6:15 PM, "Robert J. Hansen" wrote: > >This arrived in my inbox: I'm presenting it here without comment. >My >response will be following in a moment. > > > Forwarded Message >Subject: The GnuPR FAQ >Date: Mon, 11 May 2020 14:19:07 -0600 >From: James Long >To:r...@sixdemonbag.org - >You've advised people to use a HORRIBLE practice of using >dictionary words solely for their password. I tested this theory myself back >in the day, so I can 100% guaranty you of this fact: A brute force >dictionary based attack can crack a password like that in LESS THAN 5 >minutes!! = How many words were in your passphrase?? Here is some data on the Diceware list: https://theworld.com/~reinhold/diceware.html The Diceware list has only 7776 words. A complete dictionary has almost 2 orders of magnitude more. "Webster's Third New International Dictionary, Unabridged, together with its 1993 Addenda Section, includes some 470,000 entries. The Oxford English Dictionary, Second Edition, reports that it includes a similar number." https://www.merriam-webster.com/help/faq-how-many-english-words 10 diceware words provides a greater Brute Force space, than 2^128 (a gnupg session key for older defaults of CAST-5) ( 7776^10 = 8.08x10^382^128 = 3.40×10^38 ) 20 Diceware words provides a greater Brute Force space, than 2^256 ( 7776^20 = 6.53×10^77 2^256 =1.157×10^77 ) Even using only English words greater than 5 letters and unrelated to each other, an extremely low-bound estimate, would be 77760 words. (in reality, far greater, but let's use an example people would agree on). So using 8 words chosen semi-randomly from a dictionary, 77760^8 = 1.336×10³⁹, still greater than a a 2^128 Brute Force Space. So, not only is is NOT *horrible* advice, it should be enough for anyone's threat model. vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Fwd: The GnuPR FAQ
This arrived in my inbox: I'm presenting it here without comment. My response will be following in a moment. Forwarded Message Subject:The GnuPR FAQ Date: Mon, 11 May 2020 14:19:07 -0600 From: James Long To: r...@sixdemonbag.org Greetings! I'm just getting started on a write-up with instructions explaining how to use all of the new options in GnuPG to set it up in the various email clients and browsers. I noticed on this page: https://www.gnupg.org/faq/gnupg-faq.html You've advised people to use a HORRIBLE practice of using dictionary words solely for their password. I tested this theory myself back in the day, so I can 100% guaranty you of this fact: A brute force dictionary based attack can crack a password like that in LESS THAN 5 minutes!! I once stretched that out to 20 minutes by cleverly picking words that I already knew were at the opposite ends of the dictionary. This was back in the Pentium II days!! Processors these days could likely crack a dictionary based password in a matter of seconds. I'm sorry, but that particular bit of advise is terrible and needs to be changed. If you guys accept public assistance, I could go through the instruction / FAQ pages for you, update them, then submit them to you for approval. Since I'm already writing updated instructions anyway. ;) - James T. Long There are 10 kinds of people in the world - those who understand binary, and those who don't. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users