Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. users
Fwd: The GnuPR FAQ
rjh at sixdemonbag
May 11, 2020, 3:11 PM
Post #1 of 6 (315 views)
Permalink
This arrived in my inbox: I'm presenting it here without comment. My
response will be following in a moment.


-------- Forwarded Message --------
Subject: The GnuPR FAQ
Date: Mon, 11 May 2020 14:19:07 -0600
From: James Long <crogonint@gmail.com>
To: rjh@sixdemonbag.org



Greetings!

I'm just getting started on a write-up with instructions explaining how
to use all of the new options in GnuPG to set it up in the various email
clients and browsers.

I noticed on this page:
https://www.gnupg.org/faq/gnupg-faq.html 
You've advised people to use a HORRIBLE practice of using dictionary
words solely for their password. I tested this theory myself back in the
day, so I can 100% guaranty you of this fact: A brute force dictionary
based attack can crack a password like that in LESS THAN 5 minutes!! I
once stretched that out to 20 minutes by cleverly picking words that I
already knew were at the opposite ends of the dictionary.

This was back in the Pentium II days!! Processors these days could
likely crack a dictionary based password in a matter of seconds. 

I'm sorry, but that particular bit of advise is terrible and needs to be
changed. If you guys accept public assistance, I could go through the
instruction / FAQ pages for you, update them, then submit them to you
for approval.

Since I'm already writing updated instructions anyway. ;) 
 - James T. Long

------------
There are 10 kinds of people in the world - those who understand binary,
and those who don't.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: The GnuPR FAQ [ In reply to ]
gnupg-users at gnupg
May 11, 2020, 4:00 PM
Post #2 of 6 (315 views)
Permalink
On 5/11/2020 at 6:15 PM, "Robert J. Hansen" <rjh@sixdemonbag.org> wrote:
>
>This arrived in my inbox: I'm presenting it here without comment.
>My
>response will be following in a moment.
>
>
>-------- Forwarded Message --------
>Subject: The GnuPR FAQ
>Date: Mon, 11 May 2020 14:19:07 -0600
>From: James Long <crogonint@gmail.com>
>To: rjh@sixdemonbag.org
-----
>You've advised people to use a HORRIBLE practice of using
>dictionary words solely for their password. I tested this theory myself back
>in the day, so I can 100% guaranty you of this fact: A brute force
>dictionary based attack can crack a password like that in LESS THAN 5
>minutes!!

=====
How many words were in your passphrase??

Here is some data on the Diceware list:
https://theworld.com/~reinhold/diceware.html

The Diceware list has only 7776 words. A complete dictionary has almost 2 orders of magnitude more.

"Webster's Third New International Dictionary, Unabridged, together with its 1993 Addenda Section, includes some 470,000 entries. The Oxford English Dictionary, Second Edition, reports that it includes a similar number."
https://www.merriam-webster.com/help/faq-how-many-english-words

10 diceware words provides a greater Brute Force space, than 2^128 (a gnupg session key for older defaults of CAST-5)
( 7776^10 = 8.08x10^38 2^128 = 3.40×10^38 )

20 Diceware words provides a greater Brute Force space, than 2^256
( 7776^20 = 6.53×10^77 2^256 =1.157×10^77 )

Even using only English words greater than 5 letters and unrelated to each other, an extremely low-bound estimate, would be 77760 words. (in reality, far greater, but let's use an example people would agree on).

So using 8 words chosen semi-randomly from a dictionary, 77760^8 = 1.336×10³?, still greater than a a 2^128 Brute Force Space.

So, not only is is NOT *horrible* advice, it should be enough for anyone's threat model.


vedaal



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: The GnuPR FAQ [ In reply to ]
gnupg-users at gnupg
May 11, 2020, 5:52 PM
Post #3 of 6 (315 views)
Permalink
vedaal via Gnupg-users wrote:

> On 5/11/2020 at 6:15 PM, "Robert J. Hansen" <rjh@sixdemonbag.org> wrote:
> >
> >This arrived in my inbox: I'm presenting it here without comment.
> >My
> >response will be following in a moment.
> >
> >
> >-------- Forwarded Message --------
> >Subject: The GnuPR FAQ
> >Date: Mon, 11 May 2020 14:19:07 -0600
> >From: James Long <crogonint@gmail.com>
> >To: rjh@sixdemonbag.org
> -----
> >You've advised people to use a HORRIBLE practice of using
> >dictionary words solely for their password. I tested this theory myself back
> >in the day, so I can 100% guaranty you of this fact: A brute force
> >dictionary based attack can crack a password like that in LESS THAN 5
> >minutes!!
>
> =====
> How many words were in your passphrase??
>
> Here is some data on the Diceware list:
> https://theworld.com/~reinhold/diceware.html
>
> The Diceware list has only 7776 words. A complete dictionary has almost 2 orders of magnitude more.
>
> "Webster's Third New International Dictionary, Unabridged, together with its 1993 Addenda Section, includes some 470,000 entries. The Oxford English Dictionary, Second Edition, reports that it includes a similar number."
> https://www.merriam-webster.com/help/faq-how-many-english-words
>
> 10 diceware words provides a greater Brute Force space, than 2^128 (a gnupg session key for older defaults of CAST-5)
> ( 7776^10 = 8.08x10^38 2^128 = 3.40×10^38 )
>
> 20 Diceware words provides a greater Brute Force space, than 2^256
> ( 7776^20 = 6.53×10^77 2^256 =1.157×10^77 )
>
> Even using only English words greater than 5 letters and unrelated to each other, an extremely low-bound estimate, would be 77760 words. (in reality, far greater, but let's use an example people would agree on).
>
> So using 8 words chosen semi-randomly from a dictionary, 77760^8 = 1.336×10³?, still greater than a a 2^128 Brute Force Space.
>
> So, not only is is NOT *horrible* advice, it should be enough for anyone's threat model.

I can only assume that James must have thought that a
*single* dictionary word was what was meant, not a large
number of randomly-chosen dictionary words. I love
diceware passwords. Sometimes you even get lucky and
generate a funny one.

> vedaal
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: The GnuPR FAQ [ In reply to ]
gnupg-users at gnupg
May 12, 2020, 2:46 AM
Post #4 of 6 (315 views)
Permalink
On 5/11/20 10:11 PM, Robert J. Hansen - rjh@sixdemonbag.org wrote:
> This arrived in my inbox: I'm presenting it here without comment.

>> You've advised people to use a HORRIBLE practice of using dictionary
>> words solely for their password. I tested this theory myself back in the
>> day, so I can 100% guaranty you of this fact: A brute force dictionary
>> based attack can crack a password like that in LESS THAN 5 minutes!! I
>> once stretched that out to 20 minutes by cleverly picking words that I
>> already knew were at the opposite ends of the dictionary.

In order to discuss the feasibility of brute forcing a set of a few
random dictionary words, we would have to agree on a few numbers:

1) how many words in the passphrase
2) how many words in a dictionary
3) how many dictionaries
4) how many slightly different forms can average word of the
dictionary take due to the declension, conjugation and
noun/adjective gender matching.

This happens to be an English-only language mailing list, but very few
users of this program speak (only) English. It always surprises me how
contributors native-language-centric some Internet discussions on a
technical subject that transgresses language borders are.

Overall, the original suggestion in the FAQ is perfectly valid, and all
I would add is point out the benefit of (3) and (4) above.






_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Fwd: The GnuPR FAQ [ In reply to ]
rjh at sixdemonbag
May 12, 2020, 7:41 AM
Post #5 of 6 (314 views)
Permalink
> Even using only English words greater than 5 letters and unrelated to
> each other, an extremely low-bound estimate, would be 77760 words.
> (in reality, far greater, but let's use an example people would agree
> on).

This is probably not the best metric. The length of the word is
irrelevant: if one of your words is "zoo", that's no easier or harder to
guess than "prolix" or "antediluvian". The words are all equally random.

Much more important than length is memorability. "Coulrophobia" is a
great word but I'd be looking up how to spell it all the time.

You can get by just fine in most everyday English with a vocabulary of
5,000 words. Stick to those words and you'll have an easy-to-remember
passphrase.

Or, you know, learn coulrophobia, enhance your vocabulary, and get down
with your clown-fearing self. It's up to you. :)

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Fwd: The GnuPR FAQ [ In reply to ]
gnupg-users at gnupg
May 12, 2020, 6:36 PM
Post #6 of 6 (312 views)
Permalink
Robert J. Hansen rjh at sixdemonbag.org wrote on
Tue May 12 16:41:09 CEST 2020:

>You can get by just fine in most everyday English with a vocabulary of
>5,000 words. Stick to those words and you'll have an easy-to-remember
>passphrase.

=====

That's absolutely correct, Horse! Battery Staple

https://xkcd.com/936/

8^)

vedaal


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal