On Thu 24 Aug 2017 at 18:42:47 (+0100), Brian wrote: > On Wed 23 Aug 2017 at 18:06:49 -0500, Mario Castelán Castro wrote: > > On 23/08/17 14:11, Brian wrote:
> > > "Probably" is probably good enough. The probability of either of the two > > > previous passwords being deduced from pure guessing is close to zero. > > > > It is not human guessing, but brute force attacks with specialized > > hardware what you should try to protect against. [...] > > Anyway, you have to take into account that sometimes a data base of > > hashed passwords of the users can be obtained through normal cracking. > > Then the attacker can perform a brute force search without any further > > need for network access. > > > > If your ~/.gnupg directory leaks, then your OpenPGP key is protected > > only by your password. No network access is required after the initial leak. > > I'll give you that. 50,000 tests per second offline (or whatever it is > now) beats an online attack of a few hundred (?) per second any day of > the week. > > I've seen it said that a memorable password is a weak password. Perhaps > there is some truth in that, but (again IME) it needn't be so. Unless you have accounts¹ that invite break-in attempts², the main thing to resist offline cracking is to have better passwords than your neighbours, just like security against burglary. Once a suitable proportion of passwords have been cracked, which will consist of the easier ones, there are diminishing returns in continuing to try to crack the rest. ¹accounts of all sorts, not just forums. ²institutions, slebs, politicians, etc. Cheers, David.
