[arch-general] How long do you make the passphrase for the private key?

asymptosis asymptosis at posteo.net
Wed Jun 26 00:41:03 UTC 2019

> Doesn't the actual key get derived using pbkdf2 with many iterations making
> brute force of even fairly weak passphrases time consuming?

Arguing that weak passphrases are okay because the hash is strong is making
the assumption that a password cracker will perform a naive iterative
search over the space of all possible passphrases.

In practice, I believe any decent password cracker would start with a
dictionary of the most common words and passphrases, based on databases of
leaked passwords. See [1] for examples of what might be tried first.

If your passphrase is "123456" then you can expect it to be cracked
instantly, regardless of how strong the hash is.

[1] https://en.wikipedia.org/wiki/List_of_the_most_common_passwords

More information about the arch-general mailing list