I think a lot of this password philosophy is nonsense for most people. The only things that are likely to be brute-forced are Edge devices with some sort of tactical purpose. Average Joe user is more at risk from phishing or another social engineering tactic.
I'm a big fan of ridiculously large passwords that are completely unintelligible that include all sorts of !)/GJhj32;':" characters for static non-user based accounts. Now that password has to be stored though, which then gets into how should the password itself be secured... -Devin Sent on the Sprint® Now Network from my BlackBerry® -----Original Message----- From: David Shaw <[email protected]> Sender: [email protected] Date: Mon, 18 Apr 2011 22:21:49 To: Robert J. Hansen<[email protected]> Cc: GnuPG Users<[email protected]> Subject: Re: [OT] passphrases Was: Re: Allowing paste into pinentry-gtk-2? On Apr 18, 2011, at 6:56 PM, Robert J. Hansen wrote: >> Yes, well, that would mean that a 32-character English passphrase will >> average about 64 bits of randomness. Is that really enough to protect >> a key from an offline brute force attack? I think not, but am open to >> being persuaded. :) > > As I've said a few times now, no question about "is X really sufficient to > protect a passphrase from being broken?" can be answered without a lot of > context. Who are you worried about breaking it? How hard will they try? > > To give you an example, RC5-64 was a giant distributed network of computers > run by hobbyists using spare CPU cycles, trying to brute-force a 64-bit key. > Their volunteer network was much larger than anyone outside of > megacorporations or First World intelligence agencies or major crime > syndicates have. > > It took them eighteen months. Actually around 58 months: just under 5 years. > 64-bit crypto isn't good for long-term storage, but if you want to foil > someone who doesn't have megacorporation-level resources for a period of > months or years, it'll do just fine. Against First World intelligence > agencies it might take a few seconds. Are you asserting that there exists a group that can brute-force a 64-bit key in a few seconds? David _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
