[arch-general] How long do you make the passphrase for the private key?
asymptosis
asymptosis at posteo.net
Wed Jun 26 00:41:03 UTC 2019
> Doesn't the actual key get derived using pbkdf2 with many iterations making
> brute force of even fairly weak passphrases time consuming?
Arguing that weak passphrases are okay because the hash is strong is making
the assumption that a password cracker will perform a naive iterative
search over the space of all possible passphrases.
In practice, I believe any decent password cracker would start with a
dictionary of the most common words and passphrases, based on databases of
leaked passwords. See [1] for examples of what might be tried first.
If your passphrase is "123456" then you can expect it to be cracked
instantly, regardless of how strong the hash is.
[1] https://en.wikipedia.org/wiki/List_of_the_most_common_passwords
More information about the arch-general
mailing list