2:23 p.m.
Hi,
Some time ago I've done attempts of packages for svgalib on yodl, before
this I didn't really have a need for pgp, so I didn't use gpg. I've done
a few (signed) test releases of packages for svgalib and yodl, but those
got stuck in the QA queue. After this I turned my attention to some
other projects (xmame mainly).
Then some time ago I decided that I wanted to try again to get those
package through the QA queue, and ... oops I forgot my gpg password :|
See I thought, hmm this is going to be an important password letts think
up a new one (mistake!), used it a couple of times then didn't use it
for a few months and now BUMMER!
Seeing how Fedora-Extras is really shaping up now I really would like to
become an active community member (not a good start this) and do some
packaging.
Now I've already submitted my gpg key to: pgp.mit.edu.
I could ofcourse just nuke my current .gpg dir and start from scratch
since not many people have my public key already, but then my old key
would still be registered at pgp.mit.edu .
The faq at pgp.mit.edu also doesn't make me happy (at all) anything I
can do?
I'm already quite embaressed about this as it is, so no that is SO
stupid replies please.
Thanks & Regards,
Hans
2:54 p.m.
tor, 16.12.2004 kl. 21.23 skrev Hans de Goede:
Hi,
Some time ago I've done attempts of packages for svgalib on yodl, before
this I didn't really have a need for pgp, so I didn't use gpg. I've done
a few (signed) test releases of packages for svgalib and yodl, but those
got stuck in the QA queue. After this I turned my attention to some
other projects (xmame mainly).
Then some time ago I decided that I wanted to try again to get those
package through the QA queue, and ... oops I forgot my gpg password :|
See I thought, hmm this is going to be an important password letts think
up a new one (mistake!), used it a couple of times then didn't use it
for a few months and now BUMMER!
sounds familiar
Seeing how Fedora-Extras is really shaping up now I really would like
to
become an active community member (not a good start this) and do some
packaging.
Now I've already submitted my gpg key to: pgp.mit.edu.
I could ofcourse just nuke my current .gpg dir and start from scratch
since not many people have my public key already, but then my old key
would still be registered at pgp.mit.edu .
The faq at pgp.mit.edu also doesn't make me happy (at all) anything I
can do?
I'm already quite embaressed about this as it is, so no that is SO
stupid replies please.
Thanks & Regards,
Hans
I'm in the same pos, only nobody exept RH translation project know about
my key...
3:38 p.m.
Yes,
Got it, it turns out it was closer to one of my other passwords then I
thought, so after trying lotts of exoting combinations I found it.
Please forget I ever mailed about this, I never forgot my password,
thats all in your imgination .... :)
One very happy camper,
Hans
Kyrre Ness Sjobak wrote:
tor, 16.12.2004 kl. 21.23 skrev Hans de Goede:
>Hi,
>
>Some time ago I've done attempts of packages for svgalib on yodl, before
>this I didn't really have a need for pgp, so I didn't use gpg. I've done
>a few (signed) test releases of packages for svgalib and yodl, but those
>got stuck in the QA queue. After this I turned my attention to some
>other projects (xmame mainly).
>
>Then some time ago I decided that I wanted to try again to get those
>package through the QA queue, and ... oops I forgot my gpg password :|
>
>See I thought, hmm this is going to be an important password letts think
>up a new one (mistake!), used it a couple of times then didn't use it
>for a few months and now BUMMER!
>
sounds familiar
>Seeing how Fedora-Extras is really shaping up now I really would like to
> become an active community member (not a good start this) and do some
>packaging.
>
>Now I've already submitted my gpg key to: pgp.mit.edu.
>I could ofcourse just nuke my current .gpg dir and start from scratch
>since not many people have my public key already, but then my old key
>would still be registered at pgp.mit.edu .
>
>The faq at pgp.mit.edu also doesn't make me happy (at all) anything I
>can do?
>
>I'm already quite embaressed about this as it is, so no that is SO
>stupid replies please.
>
>Thanks & Regards,
>
>Hans
I'm in the same pos, only nobody exept RH translation project know about
my key...
4:23 p.m.
Le jeudi 16 décembre 2004 à 21:54 +0100, Kyrre Ness Sjobak a écrit :
tor, 16.12.2004 kl. 21.23 skrev Hans de Goede:
> Hi,
>
> Some time ago I've done attempts of packages for svgalib on yodl, before
> this I didn't really have a need for pgp, so I didn't use gpg. I've done
> a few (signed) test releases of packages for svgalib and yodl, but those
> got stuck in the QA queue. After this I turned my attention to some
> other projects (xmame mainly).
>
> Then some time ago I decided that I wanted to try again to get those
> package through the QA queue, and ... oops I forgot my gpg password :|
>
> See I thought, hmm this is going to be an important password letts think
> up a new one (mistake!), used it a couple of times then didn't use it
> for a few months and now BUMMER!
>
sounds familiar
> Seeing how Fedora-Extras is really shaping up now I really would like to
> become an active community member (not a good start this) and do some
> packaging.
>
> Now I've already submitted my gpg key to: pgp.mit.edu.
> I could ofcourse just nuke my current .gpg dir and start from scratch
> since not many people have my public key already, but then my old key
> would still be registered at pgp.mit.edu .
>
> The faq at pgp.mit.edu also doesn't make me happy (at all) anything I
> can do?
>
> I'm already quite embaressed about this as it is, so no that is SO
> stupid replies please.
>
> Thanks & Regards,
>
> Hans
I'm in the same pos, only nobody exept RH translation project know about
my key...
That's why you should always time-limit your keys. Extending them by
another year every 12 months is a lot easier than trying to rescue a
lost key.
Regards,
--
Nicolas Mailhot
3:19 p.m.
On Thu, 2004-12-16 at 21:23 +0100, Hans de Goede wrote:
[snip]
See I thought, hmm this is going to be an important password letts
think
up a new one (mistake!), used it a couple of times then didn't use it
for a few months and now BUMMER!
[snip]
Now I've already submitted my gpg key to: pgp.mit.edu.
I could ofcourse just nuke my current .gpg dir and start from scratch
since not many people have my public key already, but then my old key
would still be registered at pgp.mit.edu .
[snip]
I'm already quite embaressed about this as it is, so no that is
SO
stupid replies please.
I feel your pain. Once upon a time, I had three PGP 2.6.2 keys, but I
had only submitted one to pgp.mit.edu. I wanted to revoke it, so I
revoked it in my local keychain, and extracted *the WRONG key* and
submitted it to pgp.mit.edu. As luck would have it, it was the one out
of the three keys whose password I had long forgotten due to lack of
use.
*sigh*
Maybe the new dual Opteron box I just ordered can crack the passwords
for both our keys. ;-)
I would *love* to find a way to remove my key from pgp.mit.edu as
well. Any help to Hans would be appreciated over here as well.
--
-Paul Iadonisi
Senior System Administrator
Red Hat Certified Engineer / Local Linux Lobbyist
Ever see a penguin fly? -- Try Linux.
GPL all the way: Sell services, don't lease secrets
11:01 a.m.
On Friday 17 December 2004 08:19, Paul Iadonisi <pri.rhl3(a)iadonisi.to> wrote:
Maybe the new dual Opteron box I just ordered can crack the
passwords
for both our keys. ;-)
I wrote a program to crack keys with a hacked version of gpg (at the point in
the code where it asks for the pass-phrase my code inserted a loop to go
through the passwords). It's ugly but with the recent versions of gpg it
works reasonably well (I discovered a memory leak whereby gpg would lose a
couple of hundred bytes every attempt at a pass-phrase).
The program could try over 600 combinations a second on a 2-3yo Athlon giving
almost 5 digits tested per day if you only use lower-case and digits. This
means that a pass-phrase of 6 characters comprising lower-case and digits
could be reliably cracked in just over a month. 7 characters could be done
in 3 years with an old Athlon or maybe some reasonable amount of time in a
dual-Opteron. 8 or more characters would require a large network of
machines.
Let me know if you want a copy of my code, but be warned, it's really ugly.
Also it might be possible to optimise things and maybe double the speed if
you can figure out GPG memory management (I can't).
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
2:25 a.m.
Russell Coker wrote:
On Friday 17 December 2004 08:19, Paul Iadonisi
<pri.rhl3(a)iadonisi.to> wrote:
> Maybe the new dual Opteron box I just ordered can crack the passwords
>for both our keys. ;-)
I wrote a program to crack keys with a hacked version of gpg (at the point in
the code where it asks for the pass-phrase my code inserted a loop to go
through the passwords). It's ugly but with the recent versions of gpg it
works reasonably well (I discovered a memory leak whereby gpg would lose a
couple of hundred bytes every attempt at a pass-phrase).
The program could try over 600 combinations a second on a 2-3yo Athlon giving
almost 5 digits tested per day if you only use lower-case and digits. This
means that a pass-phrase of 6 characters comprising lower-case and digits
could be reliably cracked in just over a month. 7 characters could be done
in 3 years with an old Athlon or maybe some reasonable amount of time in a
dual-Opteron. 8 or more characters would require a large network of
machines.
Let me know if you want a copy of my code, but be warned, it's really ugly.
Also it might be possible to optimise things and maybe double the speed if
you can figure out GPG memory management (I can't).
1) Thanks, but I finally remembered my password
2) This is worry some, so a passphrase really should be 8 chars minimal?
Regards,
Hans
1:58 p.m.
On Tuesday 28 December 2004 19:25, Hans de Goede <j.w.r.degoede(a)hhs.nl> wrote:
> The program could try over 600 combinations a second on a 2-3yo
Athlon
> giving almost 5 digits tested per day if you only use lower-case and
> digits. This means that a pass-phrase of 6 characters comprising
> lower-case and digits could be reliably cracked in just over a month. 7
> characters could be done in 3 years with an old Athlon or maybe some
> reasonable amount of time in a dual-Opteron. 8 or more characters would
> require a large network of machines.
>
> Let me know if you want a copy of my code, but be warned, it's really
> ugly. Also it might be possible to optimise things and maybe double the
> speed if you can figure out GPG memory management (I can't).
1) Thanks, but I finally remembered my password
2) This is worry some, so a passphrase really should be 8 chars minimal?
Given that anyone can crack 6 characters, 7 characters could be cracked easily
by hardware that will be cheap in a few years, and 8 can be easily cracked
with a network of machines I think that you need at least 10 characters for
the pass-phrase to be worth much.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
4:58 p.m.
man, 27.12.2004 kl. 18.01 skrev Russell Coker:
On Friday 17 December 2004 08:19, Paul Iadonisi
<pri.rhl3(a)iadonisi.to> wrote:
> Maybe the new dual Opteron box I just ordered can crack the passwords
> for both our keys. ;-)
I wrote a program to crack keys with a hacked version of gpg (at the point in
the code where it asks for the pass-phrase my code inserted a loop to go
through the passwords). It's ugly but with the recent versions of gpg it
works reasonably well (I discovered a memory leak whereby gpg would lose a
couple of hundred bytes every attempt at a pass-phrase).
What if it tried a dictionary first?
The program could try over 600 combinations a second on a 2-3yo
Athlon giving
almost 5 digits tested per day if you only use lower-case and digits. This
means that a pass-phrase of 6 characters comprising lower-case and digits
could be reliably cracked in just over a month. 7 characters could be done
in 3 years with an old Athlon or maybe some reasonable amount of time in a
dual-Opteron. 8 or more characters would require a large network of
machines.
Let me know if you want a copy of my code, but be warned, it's really ugly.
Also it might be possible to optimise things and maybe double the speed if
you can figure out GPG memory management (I can't).
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
12:23 a.m.
On Wednesday 29 December 2004 09:58, Kyrre Ness Sjobak
<kyrre(a)solution-forge.net> wrote:
man, 27.12.2004 kl. 18.01 skrev Russell Coker:
> On Friday 17 December 2004 08:19, Paul Iadonisi <pri.rhl3(a)iadonisi.to>
wrote:
> > Maybe the new dual Opteron box I just ordered can crack
the passwords
> > for both our keys. ;-)
>
> I wrote a program to crack keys with a hacked version of gpg (at the
> point in the code where it asks for the pass-phrase my code inserted a
> loop to go through the passwords). It's ugly but with the recent
> versions of gpg it works reasonably well (I discovered a memory leak
> whereby gpg would lose a couple of hundred bytes every attempt at a
> pass-phrase).
What if it tried a dictionary first?
Using a dictionary might get a faster attack or make cracking a long password
feasible. But surely no-one is using a password that would be so easily
cracked...
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
6:57 a.m.
Ideally, passwords should be phrases with transliterations. If you
don't use English, if you include names of places or people or
anything derived from foreign names (here we can use lots of indian
names) and a personal rule for transliteration, you can have passwords
that won't be easily cracked.
On Wed, 29 Dec 2004 17:23:03 +1100, Russell Coker <russell(a)coker.com.au> wrote:
On Wednesday 29 December 2004 09:58, Kyrre Ness Sjobak
<kyrre(a)solution-forge.net> wrote:
> man, 27.12.2004 kl. 18.01 skrev Russell Coker:
> > On Friday 17 December 2004 08:19, Paul Iadonisi <pri.rhl3(a)iadonisi.to>
wrote:
> > > Maybe the new dual Opteron box I just ordered can crack the passwords
> > > for both our keys. ;-)
> >
> > I wrote a program to crack keys with a hacked version of gpg (at the
> > point in the code where it asks for the pass-phrase my code inserted a
> > loop to go through the passwords). It's ugly but with the recent
> > versions of gpg it works reasonably well (I discovered a memory leak
> > whereby gpg would lose a couple of hundred bytes every attempt at a
> > pass-phrase).
>
> What if it tried a dictionary first?
Using a dictionary might get a faster attack or make cracking a long password
feasible. But surely no-one is using a password that would be so easily
cracked...
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
fedora-devel-list mailing list
fedora-devel-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-devel-list
--
The information contained in this message is confidential and
intended to the recipients specified in the headers. If you received
this message by error, notify the sender immediately. The
unauthorized use, disclosure, copy or alteration of this message
are strictly forbidden and subjected to civil and criminal sanctions.
7055
days inactive
7068
days old
10 comments
6 participants
participants (6)
-
casimiro barreto -
Hans de Goede -
Kyrre Ness Sjobak -
Nicolas Mailhot -
Paul Iadonisi -
Russell Coker