Re: how to suppress new "insecure passphrase" warning

2020-09-22 Thread Werner Koch via Gnupg-users
On Thu, 17 Sep 2020 11:27, Alan Bram said:

> configuration, there was an already-running agent that I had to kill first
> in order to get it to reread the config.

Just for the reecords:

  gpgconf --reload gpg-agent

would have been sufficent but "gpgconf --kill gpg-agent: works of course
also.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: how to suppress new "insecure passphrase" warning

2020-09-17 Thread raf via Gnupg-users
Alan Bram via Gnupg-users wrote:
 
> I have been using gnupg for a few years now, with no change in the way I
> invoke it. Recently (I guess my package manager updated to a new version:
> 2.2.23) it started injecting a warning about "insecure passphrase" and
> suggesting that I ought to include a digit or special character.
> 
> I don't want to do that. I have a strong passphrase that was generated via
> Diceware. It's simply a few words made of plain letters; but it's long
> enough, and totally random. Stronger than a short, lame password that
> someone simply appends a "1" to.
> 
> Is there a way to suppress the annoying warning?

I don't know, but you could report it as a bug in the
package. If they are going to introduce such a warning,
the logic should be evidence-based, and I bet it isn't.

I once read a great article (on an Mozilla or OWASP
site) about the fact that the ancient corporate advice
of using a password that is at least eight characters
long, with at least three character classes (i.e. upper
case, lower case, punctuation and digits), was harmful
because humans all think very similarly, and we all
come up with passwords that look the same, like
"Password1". Being forced to change passwords for no
reason every 90 days just means we all use
"Winter2019", "Autumn2019", etc.

So penetration testers have done the stats on cracked
passwords and come up with a list of the top 100
password patterns that mean that you can dramatically
reduce the search space when cracking passwords and
crack about 95% of supposedly strong passwords. The top
pattern covers about 12% of passwords.

Here's a URL on the topic (but not the one I first
read):

  
https://blog.rapid7.com/2018/06/12/password-tips-from-a-pen-tester-common-patterns-exposed/

So the original advice wasn't evidence-based, and even
FIPS have adandoned it and have started recommending
long passphrases. Diceware passwords are brilliant, and
any system that complains that they are aren't secure
is an embarrassment.

I hate being told by websites that my 50 character
passphrase isn't secure enough, even more so when it
meets all of their stated password requirements (i.e.
they don't mention the fact that they don't accept
space characters as a special character - grr).

cheers,
raf

P.S. Of course you could make a local copy of the binary
and replace the first character of the warning with a
nul byte. That should fix it. :-)


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: how to suppress new "insecure passphrase" warning

2020-09-17 Thread Alan Bram via Gnupg-users
On Thu, Sep 17, 2020 at 10:52 AM Alan Bram  wrote:

> On Thu, Sep 17, 2020 at 8:56 AM Phil Pennock 
> wrote:
>
>>
>> Set min-passphrase-nonalpha in ~/.gnupg/gpg-agent.conf -- the default is
>> 1, but I think that you can set it to 0.
>>
>
> I tried that, but it doesn't seem to have any effect.
>

D'oh! Sorry! It is working after all.

I didn't realize that the `gpg2` command was starting the agent
automatically. And I didn't realize that when I first tried changing the
configuration, there was an already-running agent that I had to kill first
in order to get it to reread the config.

It's all working great now. Thank you so much! And sorry for the bad info
previously.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: how to suppress new "insecure passphrase" warning

2020-09-17 Thread Alan Bram via Gnupg-users
On Thu, Sep 17, 2020 at 8:56 AM Phil Pennock 
wrote:

>
> Set min-passphrase-nonalpha in ~/.gnupg/gpg-agent.conf -- the default is
> 1, but I think that you can set it to 0.
>

I tried that, but it doesn't seem to have any effect. Then, as an
experiment, I tried setting it to 2, and observed that including just 1
digit in the passphrase resulted in no warning (again suggesting that the
setting was not having any effect).

But I don't even think I'm using the agent (unless I misunderstand): I'm
simply running a command like the following:

gpg2 --output *outputfilename* --symmetric *inputfilename*


and waiting for the program to prompt me to enter the passphrase each time.
Sorry, I should have made that clear.

(Thank you for your quick responses.)
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: how to suppress new "insecure passphrase" warning

2020-09-17 Thread Werner Koch via Gnupg-users
On Wed, 16 Sep 2020 15:03, Alan Bram said:
> I have been using gnupg for a few years now, with no change in the way I
> invoke it. Recently (I guess my package manager updated to a new version:
> 2.2.23) it started injecting a warning about "insecure passphrase" and
> suggesting that I ought to include a digit or special character.

Please check your configuration in gpg-agent.conf.  Is there a
min-passphrase-nonalpha option set?  Note that some external software
may have modified your configuration.


Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: how to suppress new "insecure passphrase" warning

2020-09-17 Thread Martin
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hello Ryan,

Thursday, September 17, 2020, 4:42:24 PM, you wrote:

> -Ryan McGinnis
> http://www.bigstormpicture.com
> PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

BTW your public key is not on keys.openpgp.org

- --
Best regards,
Martin
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEE92uV/w2x7WB1p4XLsdyR185C444FAl9jgAcACgkQsdyR185C
445wzwf/QiBWBkH9UW6jzh7vbFbENQG39dBZTpK5TmG0BwRsdq72y4ccGpaCfZM9
02xSMeQ8ajPJ8luBH2cYHK+iBOQLlztl9yYj1crTYE+B0LBLWUMNlaH/OlduKUy7
1trJCpDVRljtFx5p3zqXiB5zP95R567e9UWXDGlpBPqj4BzhBseQGh4zNRdOGULI
4iCo2t1fhy4X5D32yhIEbP3nrTh9O4SpwYdSc0cL3jX+7KfdFqn+FQ0RgE69AFhZ
4yZ4iqA4H75oE6Hlsflg9nrQvL6BV63004FdIxRVYVsMEOMDqvGWwp8xYIibvJnO
wPoKLy2OtHi77e8Out9G5bcngUwhxA==
=8K8V
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: how to suppress new "insecure passphrase" warning

2020-09-17 Thread Phil Pennock via Gnupg-users
On 2020-09-16 at 15:03 -0700, Alan Bram via Gnupg-users wrote:
> I have been using gnupg for a few years now, with no change in the way I
> invoke it. Recently (I guess my package manager updated to a new version:
> 2.2.23) it started injecting a warning about "insecure passphrase" and
> suggesting that I ought to include a digit or special character.
> 
> I don't want to do that. I have a strong passphrase that was generated via
> Diceware. It's simply a few words made of plain letters; but it's long
> enough, and totally random. Stronger than a short, lame password that
> someone simply appends a "1" to.
> 
> Is there a way to suppress the annoying warning?

Set min-passphrase-nonalpha in ~/.gnupg/gpg-agent.conf -- the default is
1, but I think that you can set it to 0.

Also make sure that you haven't set check-passphrase-pattern to point to
a dictionary -- a common security pattern for 8-12 "random" character
passwords but unlikely to be helpful with a diceware approach.

There are other relevant options in the gpg-agent man-page in the area
around those options, worth reviewing.

-Phil

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: how to suppress new "insecure passphrase" warning

2020-09-17 Thread julie hayden via Gnupg-users
Stop. Unsubscribe

Sent from Yahoo Mail on Android 
 
  On Thu, Sep 17, 2020 at 10:40 AM, Stefan Claas wrote:   Alan 
Bram via Gnupg-users wrote:
 
> I have been using gnupg for a few years now, with no change in the way I
> invoke it. Recently (I guess my package manager updated to a new version:
> 2.2.23) it started injecting a warning about "insecure passphrase" and
> suggesting that I ought to include a digit or special character.
> 
> I don't want to do that. I have a strong passphrase that was generated via
> Diceware. It's simply a few words made of plain letters; but it's long
> enough, and totally random. Stronger than a short, lame password that
> someone simply appends a "1" to.
> 
> Is there a way to suppress the annoying warning?

I have a simple PIN (14 numerical chars) for my smart card and don't get
the warning.

Regards
Stefan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
  
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: how to suppress new "insecure passphrase" warning

2020-09-17 Thread Ryan McGinnis via Gnupg-users

Wonder if someone saw this email and uploaded it -- it shows up when I search!  
:)

Best,

-Ryan McGinnis
http://www.bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

‐‐‐ Original Message ‐‐‐
On Thursday, September 17, 2020 10:25 AM, Martin  wrote:

> Hello Ryan,
> 

> Thursday, September 17, 2020, 4:42:24 PM, you wrote:
> 

> > -Ryan McGinnis
> > http://www.bigstormpicture.com
> > PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
> 

> BTW your public key is not onkeys.openpgp.org
> 

> 
> 

> Best regards,
> Martin



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: how to suppress new "insecure passphrase" warning

2020-09-17 Thread Stefan Claas
Alan Bram via Gnupg-users wrote:
 
> I have been using gnupg for a few years now, with no change in the way I
> invoke it. Recently (I guess my package manager updated to a new version:
> 2.2.23) it started injecting a warning about "insecure passphrase" and
> suggesting that I ought to include a digit or special character.
> 
> I don't want to do that. I have a strong passphrase that was generated via
> Diceware. It's simply a few words made of plain letters; but it's long
> enough, and totally random. Stronger than a short, lame password that
> someone simply appends a "1" to.
> 
> Is there a way to suppress the annoying warning?

I have a simple PIN (14 numerical chars) for my smart card and don't get
the warning.

Regards
Stefan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: how to suppress new "insecure passphrase" warning

2020-09-17 Thread Ryan McGinnis via Gnupg-users
(BTW -- not to be pedantic, but if by "a few" words you mean "three", then you 
don't have a good passphrase -- six words is kinda minimum with diceware to get 
a decent amount of entropy)

-Ryan McGinnis
http://www.bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

‐‐‐ Original Message ‐‐‐
On Wednesday, September 16, 2020 5:03 PM, Alan Bram via Gnupg-users 
 wrote:

> I have been using gnupg for a few years now, with no change in the way I 
> invoke it. Recently (I guess my package manager updated to a new version: 
> 2.2.23) it started injecting a warning about "insecure passphrase" and 
> suggesting that I ought to include a digit or special character.
> 

> I don't want to do that. I have a strong passphrase that was generated via 
> Diceware. It's simply a few words made of plain letters; but it's long 
> enough, and totally random. Stronger than a short, lame password that someone 
> simply appends a "1" to.
> 

> Is there a way to suppress the annoying warning?

signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users