[pkg-gnupg-maint] Bug#987645: gpg-agent: default --min-passphrase-nonalpha value should be 0

Vincent Lefevre vincent at vinc17.net
Mon Apr 26 23:04:17 BST 2021 

Package: gpg-agent
Version: 2.2.27-2
Severity: minor
Tags: upstream

When I type a passphrase with only letters and spaces, I get

  A passphrase should contain at least 1 digit or special character.

probably because the default --min-passphrase-nonalpha value is 1.
On a long passphrase, this doesn't add any security (in particular,
adding one random letter provides more possibilities than a random
digits) and this is against NIST rules

  https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver

"Verifiers SHOULD NOT impose other composition rules (e.g., requiring
mixtures of different character types or prohibiting consecutively
repeated characters) for memorized secrets."

-- System Information:
Debian Release: 11.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-security'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-6-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=POSIX, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gpg-agent depends on:
ii  gpgconf                     2.2.27-2
ii  init-system-helpers         1.60
ii  libassuan0                  2.5.4-1
ii  libc6                       2.31-11
ii  libgcrypt20                 1.8.7-3
ii  libgpg-error0               1.38-2
ii  libnpth0                    1.6-3
ii  pinentry-curses [pinentry]  1.1.0-4
ii  pinentry-gtk2 [pinentry]    1.1.0-4

Versions of packages gpg-agent recommends:
ii  gnupg  2.2.27-2

Versions of packages gpg-agent suggests:
ii  dbus-user-session  1.12.20-2
ii  libpam-systemd     247.3-5
pn  pinentry-gnome3    <none>
pn  scdaemon           <none>

-- no debconf information

-- 
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

More information about the pkg-gnupg-maint mailing list