On 5/11/2020 at 6:15 PM, "Robert J. Hansen" <r...@sixdemonbag.org> wrote: > >This arrived in my inbox: I'm presenting it here without comment. >My >response will be following in a moment. > > >-------- Forwarded Message -------- >Subject: The GnuPR FAQ >Date: Mon, 11 May 2020 14:19:07 -0600 >From: James Long <crogon...@gmail.com> >To: r...@sixdemonbag.org ----- >You've advised people to use a HORRIBLE practice of using >dictionary words solely for their password. I tested this theory myself back >in the day, so I can 100% guaranty you of this fact: A brute force >dictionary based attack can crack a password like that in LESS THAN 5 >minutes!!
===== How many words were in your passphrase?? Here is some data on the Diceware list: https://theworld.com/~reinhold/diceware.html The Diceware list has only 7776 words. A complete dictionary has almost 2 orders of magnitude more. "Webster's Third New International Dictionary, Unabridged, together with its 1993 Addenda Section, includes some 470,000 entries. The Oxford English Dictionary, Second Edition, reports that it includes a similar number." https://www.merriam-webster.com/help/faq-how-many-english-words 10 diceware words provides a greater Brute Force space, than 2^128 (a gnupg session key for older defaults of CAST-5) ( 7776^10 = 8.08x10^38 2^128 = 3.40×10^38 ) 20 Diceware words provides a greater Brute Force space, than 2^256 ( 7776^20 = 6.53×10^77 2^256 =1.157×10^77 ) Even using only English words greater than 5 letters and unrelated to each other, an extremely low-bound estimate, would be 77760 words. (in reality, far greater, but let's use an example people would agree on). So using 8 words chosen semi-randomly from a dictionary, 77760^8 = 1.336×10³⁹, still greater than a a 2^128 Brute Force Space. So, not only is is NOT *horrible* advice, it should be enough for anyone's threat model. vedaal _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
