On 23/08/17 14:11, Brian wrote:
>> As for the scenario where the password is compromised and that leads to
>> somebody posting slander in one behalf, that can happen without any need
>> for password cracking. Anybody can create a profile in a social network
>> pretending to be you with the intention to taint your reputation.
>> Hence that only your reputation as perceived by stupid people would
>> suffer from such an attack.
> A slander coming from your own (compromised) account is somewhat
> different from one posted from a created account. It is a lot harder
> to deny one but not the other.

The problem here is that only *you* know which account is legitimate and
which is the impersonator. The rest of people read that account A claims
that account B is impersonating it, but they can not know that is true,
or whether it is actually the other way, or whether account B is
actually the same person as account A but posing as a impersonator of
himself (like the so called “self-robbery”).

If you have access to an account, you can prove this easily to anybody
through a challenge-response protocol. However, in general you can not
prove that you do *NOT* have access to an account. It can be done only
in *some cases*. For example, if you were unconscious in the hospital,
the hospital personnel can attest to this. Of course, this works only if
people is willing to trust the hospital personnel.

>>> "Probably" is probably good enough. The probability of either of the two
>>> previous passwords being deduced from pure guessing is close to zero.
>> It is not human guessing, but brute force attacks with specialized
>> hardware what you should try to protect against.
> It is all "human guessing". Think about it. Machines do not guess by
> themselves. Not yet anyway!
> Two passwords:
>   IhaveaMemorablePasswordwhichIwillnotforget!
>   MyDogHasNoNose.HowDoesItSmell?Terrible!
> Please would you give your opinion of how long it would take to brute
> force these over the network.
> (I do not understand "specialized hardware" when it is network attacks.)

An answer can not be given for “how long it would take” because this
question depends on too many factors. It is an open-ended question.

Anyway, you have to take into account that sometimes a data base of
hashed passwords of the users can be  obtained through normal cracking.
Then the attacker can perform a brute force search without any further
need for network access.

If your ~/.gnupg directory leaks, then your OpenPGP key is protected
only by your password. No network access is required after the initial leak.

Do not eat animals, respect them as you respect people.

