On Thursday 23 January 2014 15:34:17 Uwe Brauer wrote: > A Long time ago, IBM's proprietary OS, called CMS had a particular > feature for the login: > > It gave you three attempts to login in. If you failed there was a time > delay of 20 min, if you failed again, the time delay was prolonged to > one hour, and then I think to one day.
The same feature is implemented in some form in many/most contemporary login systems as well, and it makes great sense for a login system. The main reason this makes sense is that as a regular user you can't just bypass the login screen and get direct access to the hashed password value. > My private pgp and smime keys are secured by a password, but there is no > time delay, which makes a brute force attack possible. > > Could a time delay be implemented similar to the one I just mentioned? In contrast to the login screen example, a delay implemented by gnupg won't help you in this case. Once an attacker has access to your private key, he or she can try a brute-force attack against the passphrase using a patched version of gnupg that does not implement the delay. So in short: - a delay won't help you - protect your private key so this won't happen - always use a strong passphrase Cheers, Johannes _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
