Re: [OT] passphrases Was: Re: Allowing paste into pinentry-gtk-2?

2011-04-18 Thread Robert J. Hansen
> I think a lot of this password philosophy is nonsense for most people. The > only things that are likely to be brute-forced are Edge devices with some > sort of tactical purpose. Average Joe user is more at risk from phishing or > another social engineering tactic. Tactical communications are

Re: [OT] passphrases Was: Re: Allowing paste into pinentry-gtk-2?

2011-04-18 Thread lists
I think a lot of this password philosophy is nonsense for most people. The only things that are likely to be brute-forced are Edge devices with some sort of tactical purpose. Average Joe user is more at risk from phishing or another social engineering tactic. I'm a big fan of ridiculously large

Re: GnuPG failing to decrypt all files

2011-04-18 Thread Devin Fisher
Nobody? It is a weird problem... -Devin -Original Message- From: li...@meumonus.com Sender: gnupg-users-boun...@gnupg.org Date: Wed, 13 Apr 2011 22:07:15 To: Reply-To: li...@meumonus.com Subject: GnuPG failing to decrypt all files Hi! I have a curious problem. I just installed GPG4win

Re: [OT] passphrases Was: Re: Allowing paste into pinentry-gtk-2?

2011-04-18 Thread Robert J. Hansen
> Are you asserting that there exists a group that can brute-force a 64-bit key > in a few seconds? First, thanks for the correction on the RC5-64 project. Short answer: no, I am not asserting a group exists that can brute-force a 64-bit key in a few seconds. I am asserting that it's plausible

Re: [OT] passphrases Was: Re: Allowing paste into pinentry-gtk-2?

2011-04-18 Thread David Shaw
On Apr 18, 2011, at 6:56 PM, Robert J. Hansen wrote: >> Yes, well, that would mean that a 32-character English passphrase will >> average about 64 bits of randomness. Is that really enough to protect >> a key from an offline brute force attack? I think not, but am open to >> being persuaded. :) >

Re: [OT] passphrases Was: Re: Allowing paste into pinentry-gtk-2?

2011-04-18 Thread Robert J. Hansen
> Yes, well, that would mean that a 32-character English passphrase will > average about 64 bits of randomness. Is that really enough to protect > a key from an offline brute force attack? I think not, but am open to > being persuaded. :) As I've said a few times now, no question about "is X reall

Re: [OT] passphrases Was: Re: Allowing paste into pinentry-gtk-2?

2011-04-18 Thread Todd A. Jacobs
On Sat, Apr 16, 2011 at 8:02 PM, Robert J. Hansen wrote: > The best numbers I've seen regarding passphrase entropy suggest that plain > English text has in the neighborhood of 1.5 to 2.5 bits of entropy per glyph. >  Just FYI.  You can find these numbers in Shannon's original works on > entropy

Re: A better way to think about passwords

2011-04-18 Thread Avi
I know I'm late to the party, and forgive me if someone posted these links already, but the two essays I found most informative and helpful when trying to create secure passwords were:

Re: A better way to think about passwords

2011-04-18 Thread Ingo Klöcker
On Monday 18 April 2011, Robert J. Hansen wrote: > On 4/18/2011 1:02 PM, Mark H. Wood wrote: > > Oh, sure -- I do that too. But the CC memorization problem seems a > > lot easier. First, it's all digits, not a typical Base64 mishmash. > > YMMV, but to me a glyph is a glyph is a glyph. > > > Sec

Re: A better way to think about passwords

2011-04-18 Thread Robert J. Hansen
On 4/18/2011 1:02 PM, Mark H. Wood wrote: > Oh, sure -- I do that too. But the CC memorization problem seems a > lot easier. First, it's all digits, not a typical Base64 mishmash. YMMV, but to me a glyph is a glyph is a glyph. > Second, it's not a 23-digit number; it's a 16-digit number, a date

Re: A better way to think about passwords

2011-04-18 Thread Grant Olson
On 4/18/11 1:02 PM, Mark H. Wood wrote: > > OTOH if there are any useful groupings in "c2l4IHdvcmRzIGxvbmcuCg==" > they are not readily visible to me. My eye tends to slide right past > it without taking anything in. > > This is why I tend to use something like APG to generate strings of > nonse

Re: A better way to think about passwords

2011-04-18 Thread Grant Olson
On 4/18/11 2:09 PM, Grant Olson wrote: > On 4/18/11 1:02 PM, Mark H. Wood wrote: >> >> OTOH if there are any useful groupings in "c2l4IHdvcmRzIGxvbmcuCg==" >> they are not readily visible to me. My eye tends to slide right past >> it without taking anything in. >> >> This is why I tend to use some

Re: A better way to think about passwords

2011-04-18 Thread Mark H. Wood
On Mon, Apr 18, 2011 at 12:11:24PM -0400, Robert J. Hansen wrote: > On 4/18/2011 11:46 AM, Mark H. Wood wrote: > > It's easy to build gadgets which yield passwords that are > > mathematically very strong. The problem is that such passwords tend > > to be psychologically and pragmatically weak: yo

Re: A better way to think about passwords

2011-04-18 Thread Andrew Long
On 18 Apr 2011, at 17:11, Robert J. Hansen wrote: > On 4/18/2011 11:46 AM, Mark H. Wood wrote: >> It's easy to build gadgets which yield passwords that are >> mathematically very strong. The problem is that such passwords tend >> to be psychologically and pragmatically weak: you'll never rememb

Re: A better way to think about passwords

2011-04-18 Thread Andrew Long
On 18 Apr 2011, at 02:31, Doug Barton wrote: > > > On the other other hand, if passwords are so easy to crack, why use them at > all? :) "On the gripping hand'... Sorry, couldn't resist channelling a bit of Niven/Pournelle ;-) Regards, Andy -- Andrew Long andrew dot long at mac dot com

Re: A better way to think about passwords

2011-04-18 Thread Robert J. Hansen
On 4/18/2011 11:46 AM, Mark H. Wood wrote: > It's easy to build gadgets which yield passwords that are > mathematically very strong. The problem is that such passwords tend > to be psychologically and pragmatically weak: you'll never remember > "dishGhebJactotCerUnJodNavhahifbobTyWodvacushdojHash

Re: A better way to think about passwords

2011-04-18 Thread Mark H. Wood
I think the author of the page was on his way to saying something important but got sidetracked. Whether his math works or not is secondary to the bit I think is important. It's easy to build gadgets which yield passwords that are mathematically very strong. The problem is that such passwords te

Re: A better way to think about passwords

2011-04-18 Thread Faramir
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 17-04-2011 23:50, Grant Olson escribió: ... > But if you don't, and you use a dictionary word, or a dictionary word > with l33t-sp34k, or two dictionary words, your opponent can develop a > strategy that beats the average case brute force time. A

Re: --s2k-count: correct value in config file needed?

2011-04-18 Thread David Shaw
On Apr 18, 2011, at 7:05 AM, Hauke Laging wrote: > Hello, > > is the value of --s2k-count written to the key somehow? If not, can you use a > key only if the correct value is given in the config file (or command line)? > Does a key become kind of useless if you have forgotten the value which wa

Re: A better way to think about passwords

2011-04-18 Thread Carsten Aulbert
Hi On Monday 18 April 2011 00:58:13 Robert J. Hansen wrote: > > His math doesn't work. I call shenanigans on the entire thing. I'd like to add a F-ACK to that statement, out of curiosity I tried cracking "J4fS<2" with CUDA multiforcer and it took less than 15 minutes on a single GF200 class c

Re: windows front end to GnuPG

2011-04-18 Thread Jerry
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sun, 17 Apr 2011 22:28:23 -0300 Faramir articulated: > My favorite is GPGShell, but it is not Opensource, and it has some > problems with Windows 7 (tools for the context menu are not shown). I > wish there was something with the same capabiliti

Re: --s2k-count: correct value in config file needed?

2011-04-18 Thread Peter Pentchev
On Mon, Apr 18, 2011 at 01:05:03PM +0200, Hauke Laging wrote: > Hello, > > is the value of --s2k-count written to the key somehow? If not, can you use a > key only if the correct value is given in the config file (or command line)? > Does a key become kind of useless if you have forgotten the va

Re: A better way to think about passwords

2011-04-18 Thread Hauke Laging
Am Montag 18 April 2011 12:53:12 schrieb Faramir: > Maybe we should just pick a "good password", hash it a couple of > times, and use that hash as the real password... we could carry the > hashing tool in a flash drive. That does not make sense to me because you do not increase the key space by

--s2k-count: correct value in config file needed?

2011-04-18 Thread Hauke Laging
Hello, is the value of --s2k-count written to the key somehow? If not, can you use a key only if the correct value is given in the config file (or command line)? Does a key become kind of useless if you have forgotten the value which was used during the last passphrase change? Hauke -- PGP:

Re: A better way to think about passwords

2011-04-18 Thread Faramir
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 17-04-2011 20:27, Andre Amorim escribió: > On 17 April 2011 23:58, Robert J. Hansen wrote: >>> Summary: A 3-word password (e.g., "quick brown fox") is secure against >>> cracking attempts for 2,537 years. >> >> I am giving a great big yuk to his

Re: A better way to think about passwords

2011-04-18 Thread Faramir
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 17-04-2011 20:39, Grant Olson escribió: ... > I think it's worth noting that the low entropy of english (you quoted > 2.5 bits per char in another thread) isn't just an academic issue. Real > password crackers actually do employ multiple strategi

Re: gpg: encryption failed: public key not found

2011-04-18 Thread 123098
No point in arguing about that. I agree with you about the privileges, but it's not my call to make. I've just been given that machine (external to the company), no power to change anything, and one command: "Make it work". So that's my only concern right now. I've triple-checked everything and I

Re: GPG not retrieving keys when verifying

2011-04-18 Thread Peter Pentchev
On Sun, Apr 17, 2011 at 05:20:37PM +0200, Martin Gollowitzer wrote: > * Todd A. Jacobs [110417 17:14, > mID ]: > > > I'm not sure how I'm supposed to get GPG to automatically retrieve > > keys for signatures when validating a key. I'm currently running: > > > > gpg --keyserver-options aut