Trying Like Hell To Defeat The Purpose Of Encrypting Something In The First Place
August 8, 2008 6:04 PM Subscribe
How weak is it smart to allow my GPG key passphrase to get?
When selecting a passphrase for my GPG key, is it important that it be maximally obfuscated (a random string of alphanumerics and special characters that is $MAX_STRING_LEN long)? Would it be acceptable to use a partially-obfuscated string that's at least memorizable? Would it be considered beyond the pale of idiocy to incorporate a word in the dictionary in the keyphrase?
Ideally, I'd like to be able to type the passphrase in from memory, and (for me) that is easiest done if – while incorporating special chars, numbers, and caps variations – is also at least based on an English word or phrase. Is that erect-a-monument-to-it stupid?
When selecting a passphrase for my GPG key, is it important that it be maximally obfuscated (a random string of alphanumerics and special characters that is $MAX_STRING_LEN long)? Would it be acceptable to use a partially-obfuscated string that's at least memorizable? Would it be considered beyond the pale of idiocy to incorporate a word in the dictionary in the keyphrase?
Ideally, I'd like to be able to type the passphrase in from memory, and (for me) that is easiest done if – while incorporating special chars, numbers, and caps variations – is also at least based on an English word or phrase. Is that erect-a-monument-to-it stupid?
how strong is my passphrase?
how do i choose a good passphrase
both from passphrase faqs
posted by not sure this is a good idea at 6:46 PM on August 8, 2008
how do i choose a good passphrase
both from passphrase faqs
posted by not sure this is a good idea at 6:46 PM on August 8, 2008
Your actual passphrase gets hashed, which is a pretty random injection in the larger space.
Think about how easy it would be to guess. #uncommonEnglishWords**n gets big really fast. It's very bad for your passphrase to _be_ a dictionary word or an easy modification thereof, but many people use English phrases, and they're quite functional in this regard as long as they wouldn't go in a dictionary of phrases, aren't short, and hopefully have an uncommon word / proper noun.
Don't use Bible verses, Shakespeare, popular song lyrics, aphorisms, or other obvious junk.
I like to make passphrases semantically valid, which makes them easier to remember and still hard to crack. You know how people use birthdays and those get guessed really fast? Try "I was born on the thirteenth of March Nine-teen Seventy-Four, which makes me a Pisces. A week later and I would be an Aries!" To save typing you can shorten it to first letters, numbers, and punctuation: "IwbottoM9-tS-4,wmmaP.AwlaIwbaA!"
posted by a robot made out of meat at 7:43 PM on August 8, 2008 [1 favorite]
Think about how easy it would be to guess. #uncommonEnglishWords**n gets big really fast. It's very bad for your passphrase to _be_ a dictionary word or an easy modification thereof, but many people use English phrases, and they're quite functional in this regard as long as they wouldn't go in a dictionary of phrases, aren't short, and hopefully have an uncommon word / proper noun.
Don't use Bible verses, Shakespeare, popular song lyrics, aphorisms, or other obvious junk.
I like to make passphrases semantically valid, which makes them easier to remember and still hard to crack. You know how people use birthdays and those get guessed really fast? Try "I was born on the thirteenth of March Nine-teen Seventy-Four, which makes me a Pisces. A week later and I would be an Aries!" To save typing you can shorten it to first letters, numbers, and punctuation: "IwbottoM9-tS-4,wmmaP.AwlaIwbaA!"
posted by a robot made out of meat at 7:43 PM on August 8, 2008 [1 favorite]
While you should make your passphrase contain as much entropy (randomness) as possible, it's probably worth considering what the passphrase is actually being used for.
In some circumstances it's crucially important to use a good one, if it's the only line of defense between your computer (or your data) and the crazed hordes of cyberspace. E.g., if you had a server running SSH on a well-known port with password auth, you'd want it to be really, really good, because people would be hammering at it, day and night, trying to brute-force their way in.
However, the passphrase you're entering for GPG isn't really being used for a purpose like this. It's being used to encrypt your private key, which (due to the way public-key cryptography works), should never be transmitted across the Internet or even leave your machine. It's really a last line of defense against someone who might steal your key.
In one sense, this is a good thing — in normal operation (when someone sends a message to you, encrypted using your public key), the strength of the passphrase you choose has no impact on security. It only comes into play if your key gets compromised, and that's the bad part: if someone gets your key and really wants to break it, they could put it on a fast computer and try many thousands of randomly-guessed passphrases per second. So for your passphrase to matter in the event it does get used, it really has to be good.
All of this is leading up to a bit of a non-answer: it depends on how you're going to be using this keypair. If you're going to practice good key management, where the private key will only ever be stored on a desktop machine running a well-patched, secure OS, attached to a well-managed and closely monitored LAN, and you're going to be using the key often enough to make a long passphrase annoying … you might decide to go with a relatively short one. The odds of the key being compromised are so low that it's just not worth the trouble.
In contrast, if you were going to store the key on a laptop that might get lost or stolen, or if you were using it for really important (potentially worth $$, especially) data, or if there's a chance that people you don't trust will have access to the machine where the key is stored or your network … then I'd go for a really, really good one.
I'm not sure that there's one answer for everyone; it's inevitably a tradeoff between security and the obnoxiousness inherent in typing in a really long, complex passphrase.
posted by Kadin2048 at 8:17 PM on August 8, 2008 [1 favorite]
In some circumstances it's crucially important to use a good one, if it's the only line of defense between your computer (or your data) and the crazed hordes of cyberspace. E.g., if you had a server running SSH on a well-known port with password auth, you'd want it to be really, really good, because people would be hammering at it, day and night, trying to brute-force their way in.
However, the passphrase you're entering for GPG isn't really being used for a purpose like this. It's being used to encrypt your private key, which (due to the way public-key cryptography works), should never be transmitted across the Internet or even leave your machine. It's really a last line of defense against someone who might steal your key.
In one sense, this is a good thing — in normal operation (when someone sends a message to you, encrypted using your public key), the strength of the passphrase you choose has no impact on security. It only comes into play if your key gets compromised, and that's the bad part: if someone gets your key and really wants to break it, they could put it on a fast computer and try many thousands of randomly-guessed passphrases per second. So for your passphrase to matter in the event it does get used, it really has to be good.
All of this is leading up to a bit of a non-answer: it depends on how you're going to be using this keypair. If you're going to practice good key management, where the private key will only ever be stored on a desktop machine running a well-patched, secure OS, attached to a well-managed and closely monitored LAN, and you're going to be using the key often enough to make a long passphrase annoying … you might decide to go with a relatively short one. The odds of the key being compromised are so low that it's just not worth the trouble.
In contrast, if you were going to store the key on a laptop that might get lost or stolen, or if you were using it for really important (potentially worth $$, especially) data, or if there's a chance that people you don't trust will have access to the machine where the key is stored or your network … then I'd go for a really, really good one.
I'm not sure that there's one answer for everyone; it's inevitably a tradeoff between security and the obnoxiousness inherent in typing in a really long, complex passphrase.
posted by Kadin2048 at 8:17 PM on August 8, 2008 [1 favorite]
You can use Diceware to create strong but easy-to-memorize passphrases. A Diceware passphrase is a short sequence of English words selected randomly from a long list.
posted by bpt at 8:59 PM on August 8, 2008
posted by bpt at 8:59 PM on August 8, 2008
I'm not overly-familiar with how GPG passphrases work, but wanted to touch on the memorability part... I was surprised by how easily I remembered some 'difficult' passwords.
I once let an app generate a 'secure' password for me: ig6[de[c. I still remember it years down the road. (No, it's not active anywhere.) Once I used it a couple times, it was pretty simple, especially with the repeated ['s, which were almost like commas in helping me remember.
Or, start with something familiar to you that's not in the dictionary. M3t4f1lt3r? Even "Kadin2048" would probably work alright, though you'd want to permute it further. (And it might be slightly creepy if Kadin2048 ever found out!)
You could probably get away with a pathetically-weak password. But using a weak password with GPG seems kind of silly, like using those 55MPH-limit 'donut' spare tires on a Ferrari because you didn't want to bother with the big ones. The point I'm getting at is that your "use a partially-obfuscated string that's at least memorizable" bit doesn't have to entail an at-all weak password.
"Metafilter" probably wouldn't come up in a brute-force word list, and it's long. So then shift the characters around, interject some numbers, or use "l33t." You can do it in a methodical way so you can 'figure it out' until you memorize it: Start with "MetaFilter," but be British and make it "MetaFiltre." Then change the "F" to a "+", the e's to 3's, and the i to a 1. "M3ta+1ltr3" is a pretty strong password (or, at least, it was until I just posted it), but you can remember it. And after a few times of thinking through how to type it, you'll soon just have it memorized.
Aside: the only thing as dumb as picking an incredibly-weak password ("password" for a password) is forgetting your private-key keyphrase. Back when I had 'important' accounts, but before I knew the password by heart, I kept it tucked in my wallet on a little slip of paper. I figured that if someone was able to steal my wallet, I'd have enough problems anyway. And besides, the average wallet-jacker isn't going to assume it's for my private key.
posted by fogster at 9:38 PM on August 8, 2008
I once let an app generate a 'secure' password for me: ig6[de[c. I still remember it years down the road. (No, it's not active anywhere.) Once I used it a couple times, it was pretty simple, especially with the repeated ['s, which were almost like commas in helping me remember.
Or, start with something familiar to you that's not in the dictionary. M3t4f1lt3r? Even "Kadin2048" would probably work alright, though you'd want to permute it further. (And it might be slightly creepy if Kadin2048 ever found out!)
You could probably get away with a pathetically-weak password. But using a weak password with GPG seems kind of silly, like using those 55MPH-limit 'donut' spare tires on a Ferrari because you didn't want to bother with the big ones. The point I'm getting at is that your "use a partially-obfuscated string that's at least memorizable" bit doesn't have to entail an at-all weak password.
"Metafilter" probably wouldn't come up in a brute-force word list, and it's long. So then shift the characters around, interject some numbers, or use "l33t." You can do it in a methodical way so you can 'figure it out' until you memorize it: Start with "MetaFilter," but be British and make it "MetaFiltre." Then change the "F" to a "+", the e's to 3's, and the i to a 1. "M3ta+1ltr3" is a pretty strong password (or, at least, it was until I just posted it), but you can remember it. And after a few times of thinking through how to type it, you'll soon just have it memorized.
Aside: the only thing as dumb as picking an incredibly-weak password ("password" for a password) is forgetting your private-key keyphrase. Back when I had 'important' accounts, but before I knew the password by heart, I kept it tucked in my wallet on a little slip of paper. I figured that if someone was able to steal my wallet, I'd have enough problems anyway. And besides, the average wallet-jacker isn't going to assume it's for my private key.
posted by fogster at 9:38 PM on August 8, 2008
If a passphrase is generated purely at random, it can actually be quite short and still be very strong. When I need a strong password, I like to generate it with
dd if=/dev/urandom bs=9 count=1 | mimencode
This yields 12-character passwords with 72 bits of entropy. Assuming a brute-force attack would succeed after examining half the search space on average, such a password ought to require 271 trials to crack; at a million trials per second, that comes to about 75 million years, which seems adequate.
I find that simply working out a pronunciation for these things makes them reasonably easy to remember. For the example I just generated
+t9H9bwPXr+f
which I would pronounce "plus tee, big 9H9, black white, big PX, rear and front" and I'm sure I'd have no trouble retaining that after repeatedly declaiming it in Shakespearean tones while driving to work and then keying it in a few dozen times.
The fact that the only special characters generated by MIME encoding are + (which can be "plus" or "and") and / ("slash" or "over") is quite helpful here too.
posted by flabdablet at 9:53 PM on August 8, 2008
dd if=/dev/urandom bs=9 count=1 | mimencode
This yields 12-character passwords with 72 bits of entropy. Assuming a brute-force attack would succeed after examining half the search space on average, such a password ought to require 271 trials to crack; at a million trials per second, that comes to about 75 million years, which seems adequate.
I find that simply working out a pronunciation for these things makes them reasonably easy to remember. For the example I just generated
+t9H9bwPXr+f
which I would pronounce "plus tee, big 9H9, black white, big PX, rear and front" and I'm sure I'd have no trouble retaining that after repeatedly declaiming it in Shakespearean tones while driving to work and then keying it in a few dozen times.
The fact that the only special characters generated by MIME encoding are + (which can be "plus" or "and") and / ("slash" or "over") is quite helpful here too.
posted by flabdablet at 9:53 PM on August 8, 2008
Seconding Diceware as a way to generate some easy-to-remember entropy, and fogster's caution that one of the bigger risks to your PGP key in actual practice is forgetting the passphrase.
posted by hattifattener at 10:20 PM on August 8, 2008
posted by hattifattener at 10:20 PM on August 8, 2008
This thread is closed to new comments.
posted by idiotfactory at 6:23 PM on August 8, 2008