Re: how to suppress new "insecure passphrase" warning
On Thu, 17 Sep 2020 11:27, Alan Bram said: > configuration, there was an already-running agent that I had to kill first > in order to get it to reread the config. Just for the reecords: gpgconf --reload gpg-agent would have been sufficent but "gpgconf --kill gpg-agent: works of course also. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to suppress new "insecure passphrase" warning
Alan Bram via Gnupg-users wrote: > I have been using gnupg for a few years now, with no change in the way I > invoke it. Recently (I guess my package manager updated to a new version: > 2.2.23) it started injecting a warning about "insecure passphrase" and > suggesting that I ought to include a digit or special character. > > I don't want to do that. I have a strong passphrase that was generated via > Diceware. It's simply a few words made of plain letters; but it's long > enough, and totally random. Stronger than a short, lame password that > someone simply appends a "1" to. > > Is there a way to suppress the annoying warning? I don't know, but you could report it as a bug in the package. If they are going to introduce such a warning, the logic should be evidence-based, and I bet it isn't. I once read a great article (on an Mozilla or OWASP site) about the fact that the ancient corporate advice of using a password that is at least eight characters long, with at least three character classes (i.e. upper case, lower case, punctuation and digits), was harmful because humans all think very similarly, and we all come up with passwords that look the same, like "Password1". Being forced to change passwords for no reason every 90 days just means we all use "Winter2019", "Autumn2019", etc. So penetration testers have done the stats on cracked passwords and come up with a list of the top 100 password patterns that mean that you can dramatically reduce the search space when cracking passwords and crack about 95% of supposedly strong passwords. The top pattern covers about 12% of passwords. Here's a URL on the topic (but not the one I first read): https://blog.rapid7.com/2018/06/12/password-tips-from-a-pen-tester-common-patterns-exposed/ So the original advice wasn't evidence-based, and even FIPS have adandoned it and have started recommending long passphrases. Diceware passwords are brilliant, and any system that complains that they are aren't secure is an embarrassment. I hate being told by websites that my 50 character passphrase isn't secure enough, even more so when it meets all of their stated password requirements (i.e. they don't mention the fact that they don't accept space characters as a special character - grr). cheers, raf P.S. Of course you could make a local copy of the binary and replace the first character of the warning with a nul byte. That should fix it. :-) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to suppress new "insecure passphrase" warning
On Thu, Sep 17, 2020 at 10:52 AM Alan Bram wrote: > On Thu, Sep 17, 2020 at 8:56 AM Phil Pennock > wrote: > >> >> Set min-passphrase-nonalpha in ~/.gnupg/gpg-agent.conf -- the default is >> 1, but I think that you can set it to 0. >> > > I tried that, but it doesn't seem to have any effect. > D'oh! Sorry! It is working after all. I didn't realize that the `gpg2` command was starting the agent automatically. And I didn't realize that when I first tried changing the configuration, there was an already-running agent that I had to kill first in order to get it to reread the config. It's all working great now. Thank you so much! And sorry for the bad info previously. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to suppress new "insecure passphrase" warning
On Thu, Sep 17, 2020 at 8:56 AM Phil Pennock wrote: > > Set min-passphrase-nonalpha in ~/.gnupg/gpg-agent.conf -- the default is > 1, but I think that you can set it to 0. > I tried that, but it doesn't seem to have any effect. Then, as an experiment, I tried setting it to 2, and observed that including just 1 digit in the passphrase resulted in no warning (again suggesting that the setting was not having any effect). But I don't even think I'm using the agent (unless I misunderstand): I'm simply running a command like the following: gpg2 --output *outputfilename* --symmetric *inputfilename* and waiting for the program to prompt me to enter the passphrase each time. Sorry, I should have made that clear. (Thank you for your quick responses.) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to suppress new "insecure passphrase" warning
On Wed, 16 Sep 2020 15:03, Alan Bram said: > I have been using gnupg for a few years now, with no change in the way I > invoke it. Recently (I guess my package manager updated to a new version: > 2.2.23) it started injecting a warning about "insecure passphrase" and > suggesting that I ought to include a digit or special character. Please check your configuration in gpg-agent.conf. Is there a min-passphrase-nonalpha option set? Note that some external software may have modified your configuration. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to suppress new "insecure passphrase" warning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello Ryan, Thursday, September 17, 2020, 4:42:24 PM, you wrote: > -Ryan McGinnis > http://www.bigstormpicture.com > PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD BTW your public key is not on keys.openpgp.org - -- Best regards, Martin -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEE92uV/w2x7WB1p4XLsdyR185C444FAl9jgAcACgkQsdyR185C 445wzwf/QiBWBkH9UW6jzh7vbFbENQG39dBZTpK5TmG0BwRsdq72y4ccGpaCfZM9 02xSMeQ8ajPJ8luBH2cYHK+iBOQLlztl9yYj1crTYE+B0LBLWUMNlaH/OlduKUy7 1trJCpDVRljtFx5p3zqXiB5zP95R567e9UWXDGlpBPqj4BzhBseQGh4zNRdOGULI 4iCo2t1fhy4X5D32yhIEbP3nrTh9O4SpwYdSc0cL3jX+7KfdFqn+FQ0RgE69AFhZ 4yZ4iqA4H75oE6Hlsflg9nrQvL6BV63004FdIxRVYVsMEOMDqvGWwp8xYIibvJnO wPoKLy2OtHi77e8Out9G5bcngUwhxA== =8K8V -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to suppress new "insecure passphrase" warning
On 2020-09-16 at 15:03 -0700, Alan Bram via Gnupg-users wrote: > I have been using gnupg for a few years now, with no change in the way I > invoke it. Recently (I guess my package manager updated to a new version: > 2.2.23) it started injecting a warning about "insecure passphrase" and > suggesting that I ought to include a digit or special character. > > I don't want to do that. I have a strong passphrase that was generated via > Diceware. It's simply a few words made of plain letters; but it's long > enough, and totally random. Stronger than a short, lame password that > someone simply appends a "1" to. > > Is there a way to suppress the annoying warning? Set min-passphrase-nonalpha in ~/.gnupg/gpg-agent.conf -- the default is 1, but I think that you can set it to 0. Also make sure that you haven't set check-passphrase-pattern to point to a dictionary -- a common security pattern for 8-12 "random" character passwords but unlikely to be helpful with a diceware approach. There are other relevant options in the gpg-agent man-page in the area around those options, worth reviewing. -Phil ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to suppress new "insecure passphrase" warning
Stop. Unsubscribe Sent from Yahoo Mail on Android On Thu, Sep 17, 2020 at 10:40 AM, Stefan Claas wrote: Alan Bram via Gnupg-users wrote: > I have been using gnupg for a few years now, with no change in the way I > invoke it. Recently (I guess my package manager updated to a new version: > 2.2.23) it started injecting a warning about "insecure passphrase" and > suggesting that I ought to include a digit or special character. > > I don't want to do that. I have a strong passphrase that was generated via > Diceware. It's simply a few words made of plain letters; but it's long > enough, and totally random. Stronger than a short, lame password that > someone simply appends a "1" to. > > Is there a way to suppress the annoying warning? I have a simple PIN (14 numerical chars) for my smart card and don't get the warning. Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to suppress new "insecure passphrase" warning
Wonder if someone saw this email and uploaded it -- it shows up when I search! :) Best, -Ryan McGinnis http://www.bigstormpicture.com PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD ‐‐‐ Original Message ‐‐‐ On Thursday, September 17, 2020 10:25 AM, Martin wrote: > Hello Ryan, > > Thursday, September 17, 2020, 4:42:24 PM, you wrote: > > > -Ryan McGinnis > > http://www.bigstormpicture.com > > PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD > > BTW your public key is not onkeys.openpgp.org > > > > Best regards, > Martin signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to suppress new "insecure passphrase" warning
Alan Bram via Gnupg-users wrote: > I have been using gnupg for a few years now, with no change in the way I > invoke it. Recently (I guess my package manager updated to a new version: > 2.2.23) it started injecting a warning about "insecure passphrase" and > suggesting that I ought to include a digit or special character. > > I don't want to do that. I have a strong passphrase that was generated via > Diceware. It's simply a few words made of plain letters; but it's long > enough, and totally random. Stronger than a short, lame password that > someone simply appends a "1" to. > > Is there a way to suppress the annoying warning? I have a simple PIN (14 numerical chars) for my smart card and don't get the warning. Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: how to suppress new "insecure passphrase" warning
(BTW -- not to be pedantic, but if by "a few" words you mean "three", then you don't have a good passphrase -- six words is kinda minimum with diceware to get a decent amount of entropy) -Ryan McGinnis http://www.bigstormpicture.com PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD ‐‐‐ Original Message ‐‐‐ On Wednesday, September 16, 2020 5:03 PM, Alan Bram via Gnupg-users wrote: > I have been using gnupg for a few years now, with no change in the way I > invoke it. Recently (I guess my package manager updated to a new version: > 2.2.23) it started injecting a warning about "insecure passphrase" and > suggesting that I ought to include a digit or special character. > > I don't want to do that. I have a strong passphrase that was generated via > Diceware. It's simply a few words made of plain letters; but it's long > enough, and totally random. Stronger than a short, lame password that someone > simply appends a "1" to. > > Is there a way to suppress the annoying warning? signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
