Protecting your private key - passphrase

Stefan Claas spam.trap.mailing.lists at gmail.com
Mon Dec 14 09:37:51 CET 2020


On Mon, Dec 14, 2020 at 5:35 AM Robert J. Hansen <rjh at sixdemonbag.org> wrote:
>
> > I guess you have not read my initial posting ... otherwise you would
> > think different and would not say so ...
>
> Stefan, I read your original posting and I completely concur with Ingo.
>
> > The program is not only for GnuPG usage
>
> Please explain to me who might benefit from this.

People who have difficulties to create a long passphrase and
remembering those, when using differrent ones for different use cases.
>
> Seriously.  If people want CSPRNG output, this is not CSPRNG output.
> If people want a key derivation function, this is a *really bad* key
> derivation function: you should've used PBKDF2 or Argon2.

I recently posted here, in the Governikus thread, that I used PBKDF2
along with NIST guidelines to create a secure key for a GnuPG key of
mine, for UID purposes ...

Had I used PBKDF2 for my litle program people would have a key which
they need to store somewhere, while my program does not store keys,
instead one types in his no sense making passphrase, which then gets
converted.

> What's your use case?  Who might benefit?

We all have probably read that servers often gets hacked or otherwise
compromised and crackers and law enforcement are using software like
hashcat or John the Ripper etc. to crack peoples passwords. Lists of
used passwords are available on the net. Lists of MD5 and SHA1 hashes
etc. as well. We are also aware of brute-force or dictionary attacks
etc.

One would think that nowadays passwords with all online services are
properly salted and hashed, in order to protect peoples passphrases,
but why are then password crackers, used by crackers and law
enforcemnet are often successful? We could probably agree that then a
weak password was used and no salt, so that the stored hashes in
databases from online services makes it easier to crack passwords. Or
do we have NIST/BSI certified consumer online services, when it comes
to security ...

With that said would you say that when one inputs his password into an
online form that it is equally secure than if one would use my program
and use an easy to remember nonsense phrase which gets convert?

Regards
Stefan



More information about the Gnupg-users mailing list