Re: [Feature Request] multiple files sélection in addition to password and "no file" agent

Wed Jun 10 23:57:50 CEST 2026

> I'm not speaking of the algorithm that are secure, but even the best 
> ciphering algorithm is weak if you have a 1 digit password...

Yes. So don't use one.

> the key here is the limit of human brain... remembering a pure random 12 
> char is too much for most people, me including

Yes. So use one you can remember, along with an appropriate key 
derivation function like Argon2, PBKDF2, or the one OpenPGP used prior 
to the advent of Argon2 and PBKDF2.

> it's up to me to ensure it won´t... I've no such application that update 
> exif/id3tag and also check for file corruption (or some intruder 
> injection) via cron job... never detected any.

I'm glad you haven't had this experience. As soon as you do and discover 
your encrypted documents are now unreadable, you might change your mind.

> if I cipher a file with a strong password created with information 
> hashed from a file (that will likely create uniq data, since even a 
> CRC32 has  1 in 4.29 billion chance to create the same crc... and crc32 
> is not comparable to sha256 and others) that can include even not type- 
> able characters
> 
> and then cipher the result with a weak password
> 
> if an attacker try to bruteforce it, of course the weak password will be 
> easily broken, but what the attacker get is a ciphered result. The 
> attacker can't know if the password was guessed because the result is 
> still a ciphered result.

You've invented a primitive key derivation function.

Why is this better than Argon2 or PBKDF2, are modern, peer-reviewed, and 
successfully deployed key derivation functions?

> if you get arrested by the secret police, they will assume you hidden 
> some sensitive information somewhere else in another ciphered file.

Let's say, for sake of argument, you're a human rights worker in Gaza 
who uses VeraCrypt to secure your laptop's hard drive. You get caught up 
in an IDF dragnet. You fully cooperate with the IDF, showing them all 
your data. There's nothing on it, nothing, to suggest you're a 
terrorist. But the IDF still isn't going to let you go, because *how can 
they know you're cooperating?*

You can't prove to them that you're being honest. And that means instead 
of being allowed to go free, you're going to spend time in detention 
until some intelligence spook is able to make an assessment of your risk 
level if released. It could be months.

(No one should try to hijack this into an Israel-vs-Gaza discussion. I'm 
sure many of us have strong feelings on the subject, but please express 
them somewhere else.)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20260610/86a0bb09/attachment.sig>