Mailing List Archive

On 6/18/20 9:33 AM, Stefan Claas wrote:
> ... you should try this out in your terminal and look at the beginning
> of the output:
>
> $ echo 1fccaf3d | xxd -r -p | openssl dgst -sha256 -binary | openssl enc
> -base64
>
> :-)
>
> P.S. A friend of mine came up with a shell script to do this.
>
> Regards
> Stefan
>

Is getting those first 5 characters into the output of this string
really that amazing? Or am i missing something significant about what
the rest of the seemingly random characters represent?

spoiler, my output was:

GnuPGCfA8srqYMiMWAFrWTvP0n0pbfSGRdUIA7kv/1U=

somewhat confused,
~c



--
Charlie Derr Director, Instructional Technology 413-528-7344
https://www.simons-rock.edu Bard College at Simon's Rock
Encryption key: http://hope.simons-rock.edu/~cderr/
Personal writing: https://medium.com/@cderr
pronouns: either he/him or they/them is acceptable
Home landline: 860-435-1427

charlie derr wrote:

> Is getting those first 5 characters into the output of this string
> really that amazing? Or am i missing something significant about what
> the rest of the seemingly random characters represent?

Well, it is just for fun and maybe people find it cool. At least it is
a brute-force method to find words in such hashed and base64 encoded
strings.

I have a Golang version of the program and can let it run for a while
and with 'grep' I can look for words and save the strings in a file.

Not so fast as those GPU BTC-vanity generators, but fun and interesting
IMHO.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 2020-06-18 at 16:54 +0200, Stefan Claas wrote:
> charlie derr wrote:
>
> > Is getting those first 5 characters into the output of this string
> > really that amazing? Or am i missing something significant about what
> > the rest of the seemingly random characters represent?
>
> Well, it is just for fun and maybe people find it cool. At least it is
> a brute-force method to find words in such hashed and base64 encoded
> strings.


Each base64 character encodes 6 bits. So on average you can expect to
get those 5 characters there once in 2^(5*6) inputs, thus requiring
about 2²? operations.

Note you can do the same with gpg keys, getting such vanity keyids.

Best regards


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Ángel wrote:

> On 2020-06-18 at 16:54 +0200, Stefan Claas wrote:
> > charlie derr wrote:
> >
> > > Is getting those first 5 characters into the output of this string
> > > really that amazing? Or am i missing something significant about what
> > > the rest of the seemingly random characters represent?
> >
> > Well, it is just for fun and maybe people find it cool. At least it is
> > a brute-force method to find words in such hashed and base64 encoded
> > strings.
>
>
> Each base64 character encodes 6 bits. So on average you can expect to
> get those 5 characters there once in 2^(5*6) inputs, thus requiring
> about 2²? operations.
>
> Note you can do the same with gpg keys, getting such vanity keyids.

I used a Vanity Generator this year, on Palindrome Day, and my fingerprint
for my current key is:

02022020D638E78F4DFE737C419F025C897DB2E6 :-)
^^^^^^^^

Certified by Governikus at the *same* day. :-)

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas wrote:

> ... you should try this out in your terminal and look at the beginning
> of the output:
>
> $ echo 1fccaf3d | xxd -r -p | openssl dgst -sha256 -binary | openssl enc
> -base64

I thought about this technique a bit for easy to remember passwords, which
can be converted to strong passwords.

Let's say you travel a lot and do not want to risk that your secret key
gets compromised due to border control etc.

One simply uses the program passphrase2pgp, from GitHub[1] and when creating
the key and the passphrase is needed, one simply issues:

echo -n 'simple password' | openssl dgst -sha256 -binary | base91 or base64
and then one gets a string with an entropy of over 200, which is more than
secure. This would one IMHO allow to have a strong passphrase but generated
with an easy to remember password.

Here's a little Go program, wich does this without the above commands,
so that it can be used on Windows without OpenSSL:

package main

import (
"crypto/sha256"
"bufio"
"os"
"fmt"
"encoding/base64"

"ekyu.moe/base91"
)

func main(){
scanner := bufio.NewScanner(os.Stdin)
scanner.Scan() // use `for scanner.Scan()` to keep reading
src := scanner.Text()
hash := sha256.Sum256([]byte(src))
fmt.Println(base91.EncodeToString([]byte(hash[:])))
fmt.Println(base64.StdEncoding.EncodeToString(hash[:]))
}

One simply starts the program and then types the easy to
remember password and presses enter and the program returns
a base91 and base64 string to choose from.

And with passhprase2pgp one needs always to remember the
Unix Expoch Time, for key creation, so that always the
same secret key will be generated.

[1] https://github.com/skeeto/passphrase2pgp

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas wrote:

> Stefan Claas wrote:

[...]

> Here's a little Go program, wich does this without the above commands,
> so that it can be used on Windows without OpenSSL:
>
> package main
>
> import (
> "crypto/sha256"
> "bufio"
> "os"
> "fmt"
> "encoding/base64"
>
> "ekyu.moe/base91"
> )
>
> func main(){
> scanner := bufio.NewScanner(os.Stdin)
> scanner.Scan() // use `for scanner.Scan()` to keep reading
> src := scanner.Text()
> hash := sha256.Sum256([]byte(src))
> fmt.Println(base91.EncodeToString([]byte(hash[:])))
> fmt.Println(base64.StdEncoding.EncodeToString(hash[:]))
> }

Forgot to mention, issue a 'go get -u ekyu.moe/base91' prior compiling.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Regenerating your secret key like this is perhaps dangerous and easy to do wrong, for example you will probably leak it in your shell's history. If an attacker finds out this is your scheme, they can then start to brute force your secret key without need any access to your data, which happened with Brainflayer[1].

Since your secret key is stored symmetrically-encrypted with a passphrase, it's not game over if it gets leaked (e.g. border control). It is a concern that you could have leaked without knowing, and your passphrase could _eventually_ being cracked; better would be to put it on a smart-card like an Yubikey, which will only give Mallory a couple chances to guess before the tape self-destructs.

[1] https://www.wired.com/2015/07/brainflayer-password-cracker-steals-bitcoins-brain/

On 2020-07-07T22:42:07+0200 Stefan Claas <sac@300baud.de> wrote 1.9K bytes:

> Stefan Claas wrote:
>
> > ... you should try this out in your terminal and look at the beginning
> > of the output:
> >
> > $ echo 1fccaf3d | xxd -r -p | openssl dgst -sha256 -binary | openssl enc
> > -base64
>
> I thought about this technique a bit for easy to remember passwords, which
> can be converted to strong passwords.
>
> Let's say you travel a lot and do not want to risk that your secret key
> gets compromised due to border control etc.
>
> One simply uses the program passphrase2pgp, from GitHub[1] and when creating
> the key and the passphrase is needed, one simply issues:
>
> echo -n 'simple password' | openssl dgst -sha256 -binary | base91 or base64
> and then one gets a string with an entropy of over 200, which is more than
> secure. This would one IMHO allow to have a strong passphrase but generated
> with an easy to remember password.
>
> Here's a little Go program, wich does this without the above commands,
> so that it can be used on Windows without OpenSSL:
>
> package main
>
> import (
> "crypto/sha256"
> "bufio"
> "os"
> "fmt"
> "encoding/base64"
>
> "ekyu.moe/base91"
> )
>
> func main(){
> scanner := bufio.NewScanner(os.Stdin)
> scanner.Scan() // use `for scanner.Scan()` to keep reading
> src := scanner.Text()
> hash := sha256.Sum256([]byte(src))
> fmt.Println(base91.EncodeToString([]byte(hash[:])))
> fmt.Println(base64.StdEncoding.EncodeToString(hash[:]))
> }
>
> One simply starts the program and then types the easy to
> remember password and presses enter and the program returns
> a base91 and base64 string to choose from.
>
> And with passhprase2pgp one needs always to remember the
> Unix Expoch Time, for key creation, so that always the
> same secret key will be generated.
>
> [1] https://github.com/skeeto/passphrase2pgp
>
> Regards
> Stefan
>
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

Philihp Busby wrote:

> Regenerating your secret key like this is perhaps dangerous and easy to do wrong, for example you will probably leak it in
> your shell's history. If an attacker finds out this is your scheme, they can then start to brute force your secret key
> without need any access to your data, which happened with Brainflayer[1].
>
> Since your secret key is stored symmetrically-encrypted with a passphrase, it's not game over if it gets leaked (e.g. border
> control). It is a concern that you could have leaked without knowing, and your passphrase could _eventually_ being cracked;
> better would be to put it on a smart-card like an Yubikey, which will only give Mallory a couple chances to guess before the
> tape self-destructs.
>
> [1] https://www.wired.com/2015/07/brainflayer-password-cracker-steals-bitcoins-brain/

Thanks for the valuable input!

While the echo and OpenSSL commands leave it in your history, the Go program does not display it in history.

Also, when using a Windows Computer, without gpg4win installed, this could maybe useful too, because nobody would
see that you have GnuPG installed and one installs it only after arrival.

Or one use this technique with other symmetric encryption software, or for login credentials and telling family
and friends only the easy to use password prior departure, which then can also be changed daily with a scheme
like password = 'Holidays Day 1', next day 'Holidays Day 2' etc.

Well, just a thought ... because I thought about the entropy for a strong password, while it can be memorized
easily.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas wrote:

> Well, just a thought ... because I thought about the entropy for a strong password, while it can be memorized
> easily.

P.S. I would also say there is a difference between the article you linked to and my approach.

With the brainflayer approach one enters his/her easy to remember password into the Bitcoin software and then it
gets converted to a secret key, which then can be brute forced easily, like the article states.

With my humble approach one would input the strong password, derived from the easy to remember one.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Dienstag, 7. Juli 2020 22:42:07 CEST Stefan Claas wrote:
> Let's say you travel a lot and do not want to risk that your secret key
> gets compromised due to border control etc.
>
> One simply uses the program passphrase2pgp, from GitHub[1] and when creating
> the key and the passphrase is needed, one simply issues:
>
> echo -n 'simple password' | openssl dgst -sha256 -binary | base91 or base64
> and then one gets a string with an entropy of over 200, which is more than
> secure. This would one IMHO allow to have a strong passphrase but generated
> with an easy to remember password.

I'm sorry, but you cannot increase the entropy of "simple password" by hashing
it. What you propose is "security by obscurity". And that was never a good
idea.

Regards,
Ingo

Ingo Kl?cker wrote:

> On Dienstag, 7. Juli 2020 22:42:07 CEST Stefan Claas wrote:
> > Let's say you travel a lot and do not want to risk that your secret key
> > gets compromised due to border control etc.
> >
> > One simply uses the program passphrase2pgp, from GitHub[1] and when creating
> > the key and the passphrase is needed, one simply issues:
> >
> > echo -n 'simple password' | openssl dgst -sha256 -binary | base91 or base64
> > and then one gets a string with an entropy of over 200, which is more than
> > secure. This would one IMHO allow to have a strong passphrase but generated
> > with an easy to remember password.
>
> I'm sorry, but you cannot increase the entropy of "simple password" by hashing
> it. What you propose is "security by obscurity". And that was never a good
> idea.

Well, if I use a simple password like: 'Holidays Day 1' and run it through:

http://rumkin.com/tools/password/passchk.php for example

it gives an entropy of 62.6 bits.

If I use now this simple password and run it through my program the result is:

e|}]2$8$lI#:#h%|$}ody&qD6h#$RT;$L4^qm??D (sha256+base91)

and

C9+v21t+2y8atf5y+Yj/TqHenVC//q20WbjzM+jtcLA= (sha256+base64)

which gives an entropy of 192.3 and 234.2.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Entropy checkers only provide an *estimate* of randomness, at best an upper bound. Once you know that someone has used a particular key expansion algorithm, the entropy estimate can go down dramatically. This is because randomness is a measure of ignorance, and new information changes the calculation (cf the Monty Hall problem).

Andrew Gallagher

> On 8 Jul 2020, at 11:53, Stefan Claas <sac@300baud.de> wrote:
>
> ?Ingo Klöcker wrote:
>
>>> On Dienstag, 7. Juli 2020 22:42:07 CEST Stefan Claas wrote:
>>> Let's say you travel a lot and do not want to risk that your secret key
>>> gets compromised due to border control etc.
>>>
>>> One simply uses the program passphrase2pgp, from GitHub[1] and when creating
>>> the key and the passphrase is needed, one simply issues:
>>>
>>> echo -n 'simple password' | openssl dgst -sha256 -binary | base91 or base64
>>> and then one gets a string with an entropy of over 200, which is more than
>>> secure. This would one IMHO allow to have a strong passphrase but generated
>>> with an easy to remember password.
>>
>> I'm sorry, but you cannot increase the entropy of "simple password" by hashing
>> it. What you propose is "security by obscurity". And that was never a good
>> idea.
>
> Well, if I use a simple password like: 'Holidays Day 1' and run it through:
>
> http://rumkin.com/tools/password/passchk.php for example
>
> it gives an entropy of 62.6 bits.
>
> If I use now this simple password and run it through my program the result is:
>
> e|}]2$8$lI#:#h%|$}ody&qD6h#$RT;$L4^qm??D (sha256+base91)
>
> and
>
> C9+v21t+2y8atf5y+Yj/TqHenVC//q20WbjzM+jtcLA= (sha256+base64)
>
> which gives an entropy of 192.3 and 234.2.
>
> Regards
> Stefan
>
> --
> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Andrew Gallagher wrote:

> Entropy checkers only provide an *estimate* of randomness, at best an upper bound. Once you know that someone has used a
> particular key expansion algorithm, the entropy estimate can go down dramatically. This is because randomness is a measure of
> ignorance, and new information changes the calculation (cf the Monty Hall problem).

Thanks for the info, much appreciated!

I must admit that I have not looked how GnuPG saves passwords, or better pass phrases. I would assume
that GnuPG does also additional salting and/or stretching.

The questions for me would be how those password cracking databases store passwords, when doing brute force.

Do they store the information, like I do with my humble approach? I have read years ago that for example
the NSA is capable of searching for seven billion passwords per second.

Additionally I could use my humble approach and tell people the following:

(Let's assume I would use 'Holidays Day 1, 2, 3 etc.') I could tell them also L or R 3 (delete 3 chars
at left or right from the strong string, and add 'house' and 'mouse' to the left and/or right.

This would then IMHO not match the database strings anymore, in case they look like my approach.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Six years ago Snowden said to assume the NSA can try roughly 1 Trillion passwords per second. I imagine it's significantly more by now.



-Ryan McGinnis
http://www.bigstormpicture.com
Sent via ProtonMail

??????? Original Message ???????
On Wednesday, July 8, 2020 6:33 AM, Stefan Claas <sac@300baud.de> wrote:

> Andrew Gallagher wrote:

> Do they store the information, like I do with my humble approach? I have read years ago that for example
> the NSA is capable of searching for seven billion passwords per second.

Ryan McGinnis via Gnupg-users wrote:

> Six years ago Snowden said to assume the NSA can try roughly 1 Trillion passwords per second. I imagine it's significantly
> more by now.

Holy cow! That raises then probably one more question, i.e. the required minimum length for a strong password nowadays.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Well i think that's one more reason why you need a smart card or token
like GnuPG-Card or Nitrokey (or a Yubikey for my sake).

Regards
Juergen

Am 08.07.20 um 18:36 schrieb Stefan Claas:
> Ryan McGinnis via Gnupg-users wrote:
>
>> Six years ago Snowden said to assume the NSA can try roughly 1 Trillion passwords per second. I imagine it's significantly
>> more by now.
>
> Holy cow! That raises then probably one more question, i.e. the required minimum length for a strong password nowadays.
>
> Regards
> Stefan
>

--
Juergen M. Bruckner
juergen@bruckner.email

Went to a security seminar where I asked a random FBI agent after a presentation about passwords; he said just to get into their personal terminals it was something like 17 characters minimum and that the passwords were randomly generated letters and numbers and symbols and that they were changed fairly often. If you're trying to protect something from offline brute forcing and the password is the weak point, you're probably best off coming up with a really long randomly generated diceware phrase (7 words ought to be safe) https://www.rempe.us/diceware/#eff.

I always figure that if you upset a nation-state enough that they're willing to throw their supercomputers at you to get at your goodies, they'll likely just tie you up and brute force your body until they get what they need.

-Ryan McGinnis
http://www.bigstormpicture.com
Sent via ProtonMail

??????? Original Message ???????
On Wednesday, July 8, 2020 11:36 AM, Stefan Claas <sac@300baud.de> wrote:

> Ryan McGinnis via Gnupg-users wrote:
>

> > Six years ago Snowden said to assume the NSA can try roughly 1 Trillion passwords per second. I imagine it's significantly
> > more by now.
>

> Holy cow! That raises then probably one more question, i.e. the required minimum length for a strong password nowadays.
>

> Regards
> Stefan
>

> ------------------------------------------------------------------------------------------------------------------------------------------
>

> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion

Juergen Bruckner via Gnupg-users wrote:

> Well i think that's one more reason why you need a smart card or token
> like GnuPG-Card or Nitrokey (or a Yubikey for my sake).

Hi Juergen,

well the thing is I no longer use GnuPG and instead sequoia pgp, which
currently has no smard-card support IIRC.

And regarding smard cards, what do people do when they are traveling
and the smard card gets by accident broken or lost?

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> On 8 Jul 2020, at 20:17, Stefan Claas <sac@300baud.de> wrote:
>
> And regarding smard cards, what do people do when they are traveling
> and the smard card gets by accident broken or lost?

Multiple smart cards. If you quit rather than save after transferring your subkeys to smart card, they remain on disk and you can transfer them again. I recommend keeping a backup of your encryption key at least, on a safe offline medium such as a Tails persistent volume.

A
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Ryan McGinnis via Gnupg-users wrote:

> Went to a security seminar where I asked a random FBI agent after a presentation about passwords; he said just to get into
> their personal terminals it was something like 17 characters minimum and that the passwords were randomly generated letters
> and numbers and symbols and that they were changed fairly often. If you're trying to protect something from offline brute
> forcing and the password is the weak point, you're probably best off coming up with a really long randomly generated diceware
> phrase (7 words ought to be safe) https://www.rempe.us/diceware/#eff.

Thanks for the info! Regarding diceware, I looked into it long ago, but must admit I am not good at remembering many word
sequences, for many strong passwords, even if diceware words are easy once.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Hello Stefan,

despite my cooperation with the p?p foundation, the lack of support for
smart cards and tokens is THE knockout criterion why I do not use
sequoia pgp.

It's a good question what to do if you lose your SC or token.
Basically, it has to be said that you should definitely have a backup of
your key. And you have to be very careful with your SC or tokens.
In principle it is almost the same as losing your credit card or
passport etc. while traveling; you have to provide alternatives (e.g.
multiple smartcards).

regards
Juergen

Am 08.07.20 um 21:17 schrieb Stefan Claas:
> Juergen Bruckner via Gnupg-users wrote:
>
>> Well i think that's one more reason why you need a smart card or token
>> like GnuPG-Card or Nitrokey (or a Yubikey for my sake).
>
> Hi Juergen,
>
> well the thing is I no longer use GnuPG and instead sequoia pgp, which
> currently has no smard-card support IIRC.
>
> And regarding smard cards, what do people do when they are traveling
> and the smard card gets by accident broken or lost?
>
> Regards
> Stefan
>

--
Juergen M. Bruckner
juergen@bruckner.email

The thing is, if you can't remember a string of random words, are you likely to remember a string 20 random letters, numbers, and characters? Generally, if your non-randomly-generated password is easy for you to remember, it's also easy for a computer to guess. Diceware is the attempt to make something easy as possible to remember while still being truly high-entropy. If you're really paranoid you don't use the javascript program to generator your random phrases, you buy an EFF book and roll some casino dice. The entropy comes from the dice and so is verifiable.


Probably the best PGP key passphrase would be to have some sort of high security locally stored password manager like KeepassXC, encrypt that password database with a good long diceware passphrase that you train yourself to remember, and then have that program generate some random 30 or 40 character gibberish passwords to copypasta into PGP when it asks. While you're at it, use that to create different random passwords for every site and service you use.


-Ryan McGinnis
http://www.bigstormpicture.com
Sent via ProtonMail

??????? Original Message ???????
On Wednesday, July 8, 2020 2:40 PM, Stefan Claas <sac@300baud.de> wrote:

> Ryan McGinnis via Gnupg-users wrote:
>

> > Went to a security seminar where I asked a random FBI agent after a presentation about passwords; he said just to get into
> > their personal terminals it was something like 17 characters minimum and that the passwords were randomly generated letters
> > and numbers and symbols and that they were changed fairly often. If you're trying to protect something from offline brute
> > forcing and the password is the weak point, you're probably best off coming up with a really long randomly generated diceware
> > phrase (7 words ought to be safe) https://www.rempe.us/diceware/#eff.
>

> Thanks for the info! Regarding diceware, I looked into it long ago, but must admit I am not good at remembering many word
> sequences, for many strong passwords, even if diceware words are easy once.
>

> Regards
> Stefan
>

> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>

> my 'hidden' service gopherhole:
> gopher://iria2xobffovwr6h.onion

On 7/8/2020 at 3:49 PM, "Juergen Bruckner via Gnupg-users" <gnupg-users@gnupg.org> wrote:

>Basically, it has to be said that you should definitely have a
>backup of your key. And you have to be very careful with your SC or tokens.
>In principle it is almost the same as losing your credit card or
>passport etc. while traveling; you have to provide alternatives
>(e.g.
>multiple smartcards).

=====

There is an alternative travel approach that works for me:

[1] No real keyring on my laptop, (just a dummy one to be able to use GnuPG 2.x on the laptop)

[2] Bootable 1 tb usb,(same size as ordinary usb drive), which has bootable ubuntu OS on it,
with the keyrings in a Veracrypt container after Ubuntu loads.
(Ubuntu allows for the entire bootable drive to be encrypted, doesn't need yubi, or other programs.
It can make the usb drive bootable using ubuntu OS installation options).

Laptop can be used for everything not requiring a secret key.

In event that a secret key needs to be used, (decrypt, sign, authenticate, etc), the laptop can be booted from the usb drive.

Also, have a backup of the keyring in a Veracrypt container that easily fits on an microSD card on any android phone with microSD slots.


vedaal


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Ryan McGinnis via Gnupg-users wrote:

> The thing is, if you can't remember a string of random words, are you likely to remember a string 20 random letters, numbers,
> and characters? Generally, if your non-randomly-generated password is easy for you to remember, it's also easy for a
> computer to guess. Diceware is the attempt to make something easy as possible to remember while still being truly
> high-entropy. If you're really paranoid you don't use the javascript program to generator your random phrases, you buy an
> EFF book and roll some casino dice. The entropy comes from the dice and so is verifiable.

How do I do that when traveling, because I can't memorize the diceware pass phrase and then roll dices and tell via a
non-secure channel my now generated pass phrase, or do I make a mistake now in thinking?

> Probably the best PGP key passphrase would be to have some sort of high security locally stored password manager like
> KeepassXC, encrypt that password database with a good long diceware passphrase that you train yourself to remember, and then
> have that program generate some random 30 or 40 character gibberish passwords to copypasta into PGP when it asks. While
> you're at it, use that to create different random passwords for every site and service you use.

Well, for home usage, I have an offline computer, when using PGP, but I wanted to show/know a good way, for traveling.

Regards
Stefan


--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users