vedaal via Gnupg-users wrote: > On 5/11/2020 at 6:15 PM, "Robert J. Hansen" <r...@sixdemonbag.org> wrote: > > > >This arrived in my inbox: I'm presenting it here without comment. > >My > >response will be following in a moment. > > > > > >-------- Forwarded Message -------- > >Subject: The GnuPR FAQ > >Date: Mon, 11 May 2020 14:19:07 -0600 > >From: James Long <crogon...@gmail.com> > >To: r...@sixdemonbag.org > ----- > >You've advised people to use a HORRIBLE practice of using > >dictionary words solely for their password. I tested this theory myself back > >in the day, so I can 100% guaranty you of this fact: A brute force > >dictionary based attack can crack a password like that in LESS THAN 5 > >minutes!! > > ===== > How many words were in your passphrase?? > > Here is some data on the Diceware list: > https://theworld.com/~reinhold/diceware.html > > The Diceware list has only 7776 words. A complete dictionary has almost 2 > orders of magnitude more. > > "Webster's Third New International Dictionary, Unabridged, together with its > 1993 Addenda Section, includes some 470,000 entries. The Oxford English > Dictionary, Second Edition, reports that it includes a similar number." > https://www.merriam-webster.com/help/faq-how-many-english-words > > 10 diceware words provides a greater Brute Force space, than 2^128 (a gnupg > session key for older defaults of CAST-5) > ( 7776^10 = 8.08x10^38 2^128 = 3.40×10^38 ) > > 20 Diceware words provides a greater Brute Force space, than 2^256 > ( 7776^20 = 6.53×10^77 2^256 =1.157×10^77 ) > > Even using only English words greater than 5 letters and unrelated to each > other, an extremely low-bound estimate, would be 77760 words. (in reality, > far greater, but let's use an example people would agree on). > > So using 8 words chosen semi-randomly from a dictionary, 77760^8 = > 1.336×10³⁹, still greater than a a 2^128 Brute Force Space. > > So, not only is is NOT *horrible* advice, it should be enough for anyone's > threat model.
I can only assume that James must have thought that a *single* dictionary word was what was meant, not a large number of randomly-chosen dictionary words. I love diceware passwords. Sometimes you even get lucky and generate a funny one. > vedaal > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
