Re: how long should a password be?

2008-05-05 Thread Sven Radde
Hi! Am Montag, den 05.05.2008, 22:58 -0400 schrieb Faramir: > >> So there are only 64 bits in an 8 character password, which can be > >> cracked quite quickly using rainbow tables for any password. > > > > That is unlikely to work because gpg uses a random 64 bit salt as well > > as extended hashi

Re: how long should a password be?

2008-05-05 Thread Faramir
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > Werner Koch escribió: > On Mon, 5 May 2008 14:18, [EMAIL PROTECTED] said: > >> So there are only 64 bits in an 8 character password, which can be >> cracked quite quickly using rainbow tables for any password. > > That is unlikely to work because g

[Fwd: Re: Question about GnuPG Smartcard]

2008-05-05 Thread Alexander W. Janssen
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 (Had some very odd message from the MTA... sorry if this is a repost. Not sure if my original posting made it to the list.) Werner Koch schrieb: > On Sun, 4 May 2008 04:00, [EMAIL PROTECTED] said: > >> The smartcard can store 3 1024-bit RSA keys. It

Re: Question about GnuPG Smartcard

2008-05-05 Thread Alexander W. Janssen
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Werner Koch schrieb: > On Sun, 4 May 2008 04:00, [EMAIL PROTECTED] said: > >> The smartcard can store 3 1024-bit RSA keys. It cannot store a 2048- >> bit key. > > That depends on the actual card. GnuPG implements a specification and > allows all k

Re: how long should a password be?

2008-05-05 Thread David Shaw
On May 5, 2008, at 4:05 AM, Sven Radde wrote: Hi! Matt Kinni schrieb: Everyone says it should be as long as possible (...) What do you think? You might find this interesting read: That's a good article. See this also: <

Re: how long should a password be?

2008-05-05 Thread Werner Koch
On Mon, 5 May 2008 14:18, [EMAIL PROTECTED] said: > So there are only 64 bits in an 8 character password, which can be > cracked quite quickly using rainbow tables for any password. That is unlikely to work because gpg uses a random 64 bit salt as well as extended hashing. Salam-Shalom, We

re: how long should a password be?

2008-05-05 Thread vedaal
Robert J. Hansen rjh at sixdemonbag.org wrote on Mon May 5 10:36:16 CEST 2008 : >> Everyone says it should be as long as possible >Not at all. At some point the passphrase becomes stronger than the >symmetric encryption algorithm. Then it's time to stop. so, assuming 95 keyboard possibilitie

Re: How trust works in gpg...

2008-05-05 Thread Faramir
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > Sven Radde escribió: > Faramir schrieb: >> I was reading again this message, and I'd like to know: is there any >> point about signing a key _but not giving any trusted status_ ? > Yes. > Signing the key makes it valid for you (i.e. you believe that

Re: how long should a password be?

2008-05-05 Thread Bill Royds
On 5-May-08, at 03:55 , Wolf Canis wrote: There are infinite possibilities. That's the trick. Not the length of a password is decisive but the quality. The quality of your password decides how much effort is necessary to hack it. Unfortunately that is not true. Since most systems use a s

Re: How trust works in gpg...

2008-05-05 Thread David Shaw
On May 5, 2008, at 6:46 AM, Faramir wrote: David Shaw escribió: . If someone wants to sign your key, you then end up with: KEY + UID + SELFSIG + SIG So SELFSIG is you saying "I bind this KEY and UID together", and SIG is the other person saying "Me too". If you add another UID at this po

Re: how long should a password be?

2008-05-05 Thread Wolf Canis
Bill Royds wrote: > > On 5-May-08, at 03:55 , Wolf Canis wrote: > >> There are infinite possibilities. That's the trick. Not the length of a >> password is >> decisive but the quality. The quality of your password decides how much >> effort is necessary to hack it. > > Unfortunately that is not tru

Re: How trust works in gpg...

2008-05-05 Thread Sven Radde
Faramir schrieb: I was reading again this message, and I'd like to know: is there any point about signing a key _but not giving any trusted status_ ? Yes. Signing the key makes it valid for you (i.e. you believe that the person indicated in the key's User-IDs is the person who actually has cont

Re: How trust works in gpg...

2008-05-05 Thread Faramir
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > David Shaw escribió: > . > If someone wants to sign your key, you then end up with: > > KEY + UID + SELFSIG + SIG > > So SELFSIG is you saying "I bind this KEY and UID together", and SIG > is the other person saying "Me too". > > If you add an

GPG in several computers

2008-05-05 Thread Ramon Loureiro
hi! En/na Robert J. Hansen ha escrit: > Ramon Loureiro wrote: > >> I'm new with GPG and Enigmail. >> I use my email at home and at work, and there in mora than one computer... >> How can I handle my GPG? > > The first question is, "which operating systems do you use?" The > instructions ar

[REPOST] LDAP Basic Auth not working for key search, keyserver-options ignored!

2008-05-05 Thread Harakiri
Hello, following the example here : http://lists.gnupg.org/pipermail/gnupg-users/2006-February/028058.html i used the binddn and bindpw option to do a simple auth against an ldap server gpg.exe --keyserver ldap://localhost --keyserver-options "binddn=\"uid=someuser\"" --keyserver-options bi

Re: GPG 1.4.9 false verification

2008-05-05 Thread Andy McKnight
> > The behavior is specified by RFC4880 and is not a security risk. > > Hi, I was testing this with the --verify switch only so I didn't see the final output with the stripped headers. Thanks for clearing this up. Your point regarding my mail client was interesting though. I use the web interf

Re: GPG 1.4.9 false verification

2008-05-05 Thread Robert J. Hansen
Andy McKnight wrote: > Is this behaviour by design? Are GPG users supposed to be aware that > this line is untrusted? The behavior is specified by RFC4880 and is not a security risk. As an example, I have a small CSS file here that I have clearsigned. The opening looks like: *-BEGIN PGP SIG

GPG 1.4.9 false verification

2008-05-05 Thread Andy McKnight
Hi Guys, I'm new to GPG so I'm not sure if this is a problem or if it's by design but it's possible to modify a clearsigned message/document and still have it verify. When I sign a document GPG adds the two header lines "-BEGIN PGP SIGNED MESSAGE-" and "Hash: SHA1" followed by a blank lin

Re: how long should a password be?

2008-05-05 Thread Wolf Canis
Matt Kinni wrote: > Everyone says it should be as long as possible, but there comes a point > where it's just impossible to remember anything longer than 20 > characters. What do you think? Hello, I would say a password should be between 8 - 12 characters long. But that isn't that important. Eight

Re: how long should a password be?

2008-05-05 Thread Robert J. Hansen
Faramir wrote: > That brings another related question: is there any character > unsuported by GnuPG? I ask this because once I was using an application, > and I tried to use "special" characters in the password, but the app > rejected the users saying "wrong password", so I had to use just normal

Re: how long should a password be?

2008-05-05 Thread Robert J. Hansen
Matt Kinni wrote: > Everyone says it should be as long as possible Not at all. At some point the passphrase becomes stronger than the symmetric encryption algorithm. Then it's time to stop. > where it's just impossible to remember anything longer than 20 > characters. What do you think? I thi

Re: how long should a password be?

2008-05-05 Thread Wolf Canis
Sven Radde wrote: > Hi! > > Matt Kinni schrieb: >> Everyone says it should be as long as possible (...) What do you think? > You might find this interesting read: > Interesting article, thanks for the link. :-) > > Also keep in

Re: how long should a password be?

2008-05-05 Thread Faramir
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > Noiano escribió: > Matt Kinni wrote: > > Everyone says it should be as long as possible, but there comes a point > > where it's just impossible to remember anything longer than 20 > > characters. What do you think? > > . > - longer >= 25 IMHO >

Re: how long should a password be?

2008-05-05 Thread Sven Radde
Hi! Matt Kinni schrieb: Everyone says it should be as long as possible (...) What do you think? You might find this interesting read: Also keep in mind that in order to attack your password, an attacker would first have to

Re: how long should a password be?

2008-05-05 Thread Noiano
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Matt Kinni wrote: > Everyone says it should be as long as possible, but there comes a point > where it's just impossible to remember anything longer than 20 > characters. What do you think? Well IMHO you should merge together some significant (just

Re: Question about GnuPG Smartcard

2008-05-05 Thread Werner Koch
On Sun, 4 May 2008 04:00, [EMAIL PROTECTED] said: > The smartcard can store 3 1024-bit RSA keys. It cannot store a 2048- > bit key. That depends on the actual card. GnuPG implements a specification and allows all key sizes. There are some restrictions due to the limited size of an APDU. The

how long should a password be?

2008-05-05 Thread Matt Kinni
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Everyone says it should be as long as possible, but there comes a point where it's just impossible to remember anything longer than 20 characters. What do you think? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBCAAGBQJIHrS