On Mon, Dec 14, 2020 at 5:35 AM Robert J. Hansen <r...@sixdemonbag.org> wrote: > > > I guess you have not read my initial posting ... otherwise you would > > think different and would not say so ... > > Stefan, I read your original posting and I completely concur with Ingo. > > > The program is not only for GnuPG usage > > Please explain to me who might benefit from this.
People who have difficulties to create a long passphrase and remembering those, when using differrent ones for different use cases. > > Seriously. If people want CSPRNG output, this is not CSPRNG output. > If people want a key derivation function, this is a *really bad* key > derivation function: you should've used PBKDF2 or Argon2. I recently posted here, in the Governikus thread, that I used PBKDF2 along with NIST guidelines to create a secure key for a GnuPG key of mine, for UID purposes ... Had I used PBKDF2 for my litle program people would have a key which they need to store somewhere, while my program does not store keys, instead one types in his no sense making passphrase, which then gets converted. > What's your use case? Who might benefit? We all have probably read that servers often gets hacked or otherwise compromised and crackers and law enforcement are using software like hashcat or John the Ripper etc. to crack peoples passwords. Lists of used passwords are available on the net. Lists of MD5 and SHA1 hashes etc. as well. We are also aware of brute-force or dictionary attacks etc. One would think that nowadays passwords with all online services are properly salted and hashed, in order to protect peoples passphrases, but why are then password crackers, used by crackers and law enforcemnet are often successful? We could probably agree that then a weak password was used and no salt, so that the stored hashes in databases from online services makes it easier to crack passwords. Or do we have NIST/BSI certified consumer online services, when it comes to security ... With that said would you say that when one inputs his password into an online form that it is equally secure than if one would use my program and use an easy to remember nonsense phrase which gets convert? Regards Stefan _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
