Alan Bram via Gnupg-users wrote: > I have been using gnupg for a few years now, with no change in the way I > invoke it. Recently (I guess my package manager updated to a new version: > 2.2.23) it started injecting a warning about "insecure passphrase" and > suggesting that I ought to include a digit or special character. > > I don't want to do that. I have a strong passphrase that was generated via > Diceware. It's simply a few words made of plain letters; but it's long > enough, and totally random. Stronger than a short, lame password that > someone simply appends a "1" to. > > Is there a way to suppress the annoying warning?
I don't know, but you could report it as a bug in the package. If they are going to introduce such a warning, the logic should be evidence-based, and I bet it isn't. I once read a great article (on an Mozilla or OWASP site) about the fact that the ancient corporate advice of using a password that is at least eight characters long, with at least three character classes (i.e. upper case, lower case, punctuation and digits), was harmful because humans all think very similarly, and we all come up with passwords that look the same, like "Password1". Being forced to change passwords for no reason every 90 days just means we all use "Winter2019", "Autumn2019", etc. So penetration testers have done the stats on cracked passwords and come up with a list of the top 100 password patterns that mean that you can dramatically reduce the search space when cracking passwords and crack about 95% of supposedly strong passwords. The top pattern covers about 12% of passwords. Here's a URL on the topic (but not the one I first read): https://blog.rapid7.com/2018/06/12/password-tips-from-a-pen-tester-common-patterns-exposed/ So the original advice wasn't evidence-based, and even FIPS have adandoned it and have started recommending long passphrases. Diceware passwords are brilliant, and any system that complains that they are aren't secure is an embarrassment. I hate being told by websites that my 50 character passphrase isn't secure enough, even more so when it meets all of their stated password requirements (i.e. they don't mention the fact that they don't accept space characters as a special character - grr). cheers, raf P.S. Of course you could make a local copy of the binary and replace the first character of the warning with a nul byte. That should fix it. :-) _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
