On Sat, Dec 26, 2015 at 6:37 PM, Owen DeLong <o...@delong.com> wrote: >> On Dec 26, 2015, at 15:54 , Baldur Norddahl <baldur.nordd...@gmail.com> >> wrote: >> [...]
>> The key approach is still better. Even if the password is 123456 the >> attacker is not going to get in, unless he somehow stole the key file. > > Incorrect… It is possible the attacker could brute-force the key file. > > A 1024 bit key is only as good as a ~256 character passphrase in terms of > entropy. > > If you are brute force or otherwise synthesizing the private key, you do not > need > the passphrase for the on-disk key. As was pointed out elsewhere, the > passphrase > for the key file only matters if you already stole the key file. > > In terms of guessing the private key vs. guessing a suitably long pass > phrase, the > difficulty is roughly equivalent. Intriguing point. I was thinking about it from the end-user perspective; but you're right, from the bits-on-the-wire perspective, it's all just a stream of 1's and 0's, whether it came from a private key + passphrase run through an algorithm or not. Thanks for the reminder to look at it from multiple perspectives. ^_^ Matt
