Description
This article is from the PGP FAQ, by Jeff Licquia jalicqui@prairienet.org with numerous contributions by
others.
3.11. How do I choose a pass phrase? (PGP)
All of the security that is available in PGP can be made absolutely
useless if you don't choose a good pass phrase to encrypt your secret
key ring. Too many people use their birthday, their telephone number,
the name of a loved one, or some easy to guess common word. While
there are a number of suggestions for generating good pass phrases,
the ultimate in security is obtained when the characters of the pass
phrase are chosen completely at random. It may be a little harder to
remember, but the added security is worth it. As an absolute minimum
pass phrase, I would suggest a random combination of at least 8
letters and digits, with 12 being a better choice. With a 12 character
pass phrase made up of the lower case letters a-z plus the digits 0-9,
you have about 62 bits of key, which is 6 bits better than the 56 bit
DES keys. If you wish, you can mix upper and lower case letters in
your pass phrase to cut down the number of characters that are
required to achieve the same level of security. I don't do this myself
because I hate having to manipulate the shift key while entering a
pass phrase.
A pass phrase which is composed of ordinary words without punctuation
or special characters is susceptible to a dictionary attack.
Transposing characters or mis-spelling words makes your pass phrase
less vulnerable, but a professional dictionary attack will cater for
this sort of thing.
A good treatise on the subject is available which discusses the use of
"shocking nonsense" in pass phrases. It is written by Grady Ward, and
can be found on Fran Litterio's crypto page:
http://draco.centerline.com:8080/~franl/pgp/pgp-passphrase-faq.html
Continue to:
Share and Enjoy
Bookmark this story so others can enjoy it:
Tags
security, PGP, Pretty Good Privacy, encryption, NSA, RSA, crack, glossary, signature, signing, verifying, keys, passphrase, hash, cryptography
