Mailing List Archive

(BTW -- not to be pedantic, but if by "a few" words you mean "three", then you don't have a good passphrase -- six words is kinda minimum with diceware to get a decent amount of entropy)

-Ryan McGinnis
http://www.bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

??????? Original Message ???????
On Wednesday, September 16, 2020 5:03 PM, Alan Bram via Gnupg-users <gnupg-users@gnupg.org> wrote:

> I have been using gnupg for a few years now, with no change in the way I invoke it. Recently (I guess my package manager updated to a new version: 2.2.23) it started injecting a warning about "insecure passphrase" and suggesting that I ought to include a digit or special character.
>

> I don't want to do that. I have a strong passphrase that was generated via Diceware. It's simply a few words made of plain letters; but it's long enough, and totally random. Stronger than a short, lame password that someone simply appends a "1" to.
>

> Is there a way to suppress the annoying warning?

Alan Bram via Gnupg-users wrote:

> I have been using gnupg for a few years now, with no change in the way I
> invoke it. Recently (I guess my package manager updated to a new version:
> 2.2.23) it started injecting a warning about "insecure passphrase" and
> suggesting that I ought to include a digit or special character.
>
> I don't want to do that. I have a strong passphrase that was generated via
> Diceware. It's simply a few words made of plain letters; but it's long
> enough, and totally random. Stronger than a short, lame password that
> someone simply appends a "1" to.
>
> Is there a way to suppress the annoying warning?

I have a simple PIN (14 numerical chars) for my smart card and don't get
the warning.

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Ryan,

Thursday, September 17, 2020, 4:42:24 PM, you wrote:

> -Ryan McGinnis
> http://www.bigstormpicture.com
> PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

BTW your public key is not on keys.openpgp.org

- --
Best regards,
Martin
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE92uV/w2x7WB1p4XLsdyR185C444FAl9jgAcACgkQsdyR185C
445wzwf/QiBWBkH9UW6jzh7vbFbENQG39dBZTpK5TmG0BwRsdq72y4ccGpaCfZM9
02xSMeQ8ajPJ8luBH2cYHK+iBOQLlztl9yYj1crTYE+B0LBLWUMNlaH/OlduKUy7
1trJCpDVRljtFx5p3zqXiB5zP95R567e9UWXDGlpBPqj4BzhBseQGh4zNRdOGULI
4iCo2t1fhy4X5D32yhIEbP3nrTh9O4SpwYdSc0cL3jX+7KfdFqn+FQ0RgE69AFhZ
4yZ4iqA4H75oE6Hlsflg9nrQvL6BV63004FdIxRVYVsMEOMDqvGWwp8xYIibvJnO
wPoKLy2OtHi77e8Out9G5bcngUwhxA==
=8K8V
-----END PGP SIGNATURE-----


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 2020-09-16 at 15:03 -0700, Alan Bram via Gnupg-users wrote:
> I have been using gnupg for a few years now, with no change in the way I
> invoke it. Recently (I guess my package manager updated to a new version:
> 2.2.23) it started injecting a warning about "insecure passphrase" and
> suggesting that I ought to include a digit or special character.
>
> I don't want to do that. I have a strong passphrase that was generated via
> Diceware. It's simply a few words made of plain letters; but it's long
> enough, and totally random. Stronger than a short, lame password that
> someone simply appends a "1" to.
>
> Is there a way to suppress the annoying warning?

Set min-passphrase-nonalpha in ~/.gnupg/gpg-agent.conf -- the default is
1, but I think that you can set it to 0.

Also make sure that you haven't set check-passphrase-pattern to point to
a dictionary -- a common security pattern for 8-12 "random" character
passwords but unlikely to be helpful with a diceware approach.

There are other relevant options in the gpg-agent man-page in the area
around those options, worth reviewing.

-Phil

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stop. Unsubscribe

Sent from Yahoo Mail on Android

On Thu, Sep 17, 2020 at 10:40 AM, Stefan Claas<sac@300baud.de> wrote: Alan Bram via Gnupg-users wrote:

> I have been using gnupg for a few years now, with no change in the way I
> invoke it. Recently (I guess my package manager updated to a new version:
> 2.2.23) it started injecting a warning about "insecure passphrase" and
> suggesting that I ought to include a digit or special character.
>
> I don't want to do that. I have a strong passphrase that was generated via
> Diceware. It's simply a few words made of plain letters; but it's long
> enough, and totally random. Stronger than a short, lame password that
> someone simply appends a "1" to.
>
> Is there a way to suppress the annoying warning?

I have a simple PIN (14 numerical chars) for my smart card and don't get
the warning.

Regards
Stefan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Wonder if someone saw this email and uploaded it -- it shows up when I search! :)

Best,

-Ryan McGinnis
http://www.bigstormpicture.com
PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD

??????? Original Message ???????
On Thursday, September 17, 2020 10:25 AM, Martin <martin@postzone.org> wrote:

> Hello Ryan,
>

> Thursday, September 17, 2020, 4:42:24 PM, you wrote:
>

> > -Ryan McGinnis
> > http://www.bigstormpicture.com
> > PGP Fingerprint: 5C73 8727 EE58 786A 777C 4F1D B5AA 3FA3 486E D7AD
>

> BTW your public key is not onkeys.openpgp.org
>

> ------------------------------------------------
>

> Best regards,
> Martin

On Wed, 16 Sep 2020 15:03, Alan Bram said:
> I have been using gnupg for a few years now, with no change in the way I
> invoke it. Recently (I guess my package manager updated to a new version:
> 2.2.23) it started injecting a warning about "insecure passphrase" and
> suggesting that I ought to include a digit or special character.

Please check your configuration in gpg-agent.conf. Is there a
min-passphrase-nonalpha option set? Note that some external software
may have modified your configuration.


Shalom-Salam,

Werner


--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

On Thu, Sep 17, 2020 at 8:56 AM Phil Pennock <gnupg-users@spodhuis.org>
wrote:

>
> Set min-passphrase-nonalpha in ~/.gnupg/gpg-agent.conf -- the default is
> 1, but I think that you can set it to 0.
>

I tried that, but it doesn't seem to have any effect. Then, as an
experiment, I tried setting it to 2, and observed that including just 1
digit in the passphrase resulted in no warning (again suggesting that the
setting was not having any effect).

But I don't even think I'm using the agent (unless I misunderstand): I'm
simply running a command like the following:

gpg2 --output *outputfilename* --symmetric *inputfilename*


and waiting for the program to prompt me to enter the passphrase each time.
Sorry, I should have made that clear.

(Thank you for your quick responses.)

On Thu, Sep 17, 2020 at 10:52 AM Alan Bram <alan.bram@cornell.edu> wrote:

> On Thu, Sep 17, 2020 at 8:56 AM Phil Pennock <gnupg-users@spodhuis.org>
> wrote:
>
>>
>> Set min-passphrase-nonalpha in ~/.gnupg/gpg-agent.conf -- the default is
>> 1, but I think that you can set it to 0.
>>
>
> I tried that, but it doesn't seem to have any effect.
>

D'oh! Sorry! It is working after all.

I didn't realize that the `gpg2` command was starting the agent
automatically. And I didn't realize that when I first tried changing the
configuration, there was an already-running agent that I had to kill first
in order to get it to reread the config.

It's all working great now. Thank you so much! And sorry for the bad info
previously.

Alan Bram via Gnupg-users wrote:

> I have been using gnupg for a few years now, with no change in the way I
> invoke it. Recently (I guess my package manager updated to a new version:
> 2.2.23) it started injecting a warning about "insecure passphrase" and
> suggesting that I ought to include a digit or special character.
>
> I don't want to do that. I have a strong passphrase that was generated via
> Diceware. It's simply a few words made of plain letters; but it's long
> enough, and totally random. Stronger than a short, lame password that
> someone simply appends a "1" to.
>
> Is there a way to suppress the annoying warning?

I don't know, but you could report it as a bug in the
package. If they are going to introduce such a warning,
the logic should be evidence-based, and I bet it isn't.

I once read a great article (on an Mozilla or OWASP
site) about the fact that the ancient corporate advice
of using a password that is at least eight characters
long, with at least three character classes (i.e. upper
case, lower case, punctuation and digits), was harmful
because humans all think very similarly, and we all
come up with passwords that look the same, like
"Password1". Being forced to change passwords for no
reason every 90 days just means we all use
"Winter2019", "Autumn2019", etc.

So penetration testers have done the stats on cracked
passwords and come up with a list of the top 100
password patterns that mean that you can dramatically
reduce the search space when cracking passwords and
crack about 95% of supposedly strong passwords. The top
pattern covers about 12% of passwords.

Here's a URL on the topic (but not the one I first
read):

https://blog.rapid7.com/2018/06/12/password-tips-from-a-pen-tester-common-patterns-exposed/

So the original advice wasn't evidence-based, and even
FIPS have adandoned it and have started recommending
long passphrases. Diceware passwords are brilliant, and
any system that complains that they are aren't secure
is an embarrassment.

I hate being told by websites that my 50 character
passphrase isn't secure enough, even more so when it
meets all of their stated password requirements (i.e.
they don't mention the fact that they don't accept
space characters as a special character - grr).

cheers,
raf

P.S. Of course you could make a local copy of the binary
and replace the first character of the warning with a
nul byte. That should fix it. :-)


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Thu, 17 Sep 2020 11:27, Alan Bram said:

> configuration, there was an already-running agent that I had to kill first
> in order to get it to reread the config.

Just for the reecords:

gpgconf --reload gpg-agent

would have been sufficent but "gpgconf --kill gpg-agent: works of course
also.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.