Re: [Feature Request] multiple files sélection in addition to password and "no file" agent

Tue Jun 9 20:08:06 CEST 2026

> More due to IA hype, computing power will increase (and if not pure 
> computing power of a single system, there will be several system to make 
> parallel work)

Argon2 and PBKDF2 are both designed to be highly resistant to brute 
forcing. Brute force attacks on Argon2/PBKDF2 passphrases are really not 
a thing.

> I use veracrypt for long now, as well as keepassXC. What I love is the 
> ability to use a file in addition to the password, this solve the issue 
> of strengh really fine, just have to remember a file or 2 or more 
> (sadely only one file for keepassXC) and it compute a password based on 
> the file content (didn't looked the code, but doing a sha256 hash will 
> produce a 64 [A-Z][a-z][0-9] password, that is purely random, so no dict 
> attack, and surely strength that won't allow even brute force parallel 
> attack)

This sounds like a misfeature for GnuPG. I would like to see this not 
adopted.

> this require lite knowledge to remember and every file can be used, just 
> peak your favorite familly photo, vacation photo, song, a video... 
> anything as long you won't modify it.... easy....

ID3 tags in MP3s and/or Exif tags in JPEGs are specifically intended to 
be modifiable, and some applications will silently update ID3 tags 
and/or Exif tags without explicitly telling you. (E.g., if an MP3 has 
ID3 v1 tags, your music player might silently upgrade them to ID3 v2 tags.)

> this would not even allow to know if the password provided was truly 
> guessed : the result is still random bytes, so you can't know you truly 
> guessed the password, so even a weak password could become strong (I'm 
> right?)

This is not how entropy and information theory work.

> what I would love, is the veracrypt threat security mechanism : 2 
> private keys in the same key file, if I provide one password/file I get 
> the 1rst key, if I provide another I get the second key. This could 
> allow to disclose "I'm under threat" information without anyone knowing 
> it

If you get arrested by the secret police, they *will* know about 
Veracrypt and the second passphrase option. They will demand both and 
won't stop torturing you until you provide them.

What's worse is if you're not using this feature. The secret police are 
now torturing you for a passphrase that doesn't exist and you can't give 
them. This also means *you can't make the torture stop*.

This is a horrible misfeature of Veracrypt. It's going to get one of 
their users killed someday, if it hasn't already.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20260609/7eb7822a/attachment.sig>