anyone familiar with the details of the "broad consent" feature? Their website requires a login to access this page -
https://support.grayshift.com/hc/en-us/articles/10113901371163-AppLogic-v3-8-0
Apart from strong locking password, and assumed software is updated, how else can one ensure that grapheneos cannot be cracked by these devices?
graykey countermeasures
Utilizing the auto reboot feature to put your data back to rest.
https://grapheneos.org/features#auto-reboot
From there, you can use a random 6 digit PIN if you want to rely on the secure element to do the throttling.
Alternatively, you can use a 18 character password comprised of lowercase letters and numbers, or a 7 word diceware passphrase, which is strong enough to not have to rely on the secure element, in case it can be exploited and bypassed.
Offtopic but anyone has any tips on how to remember 7 word diceware passphrase? I am getting older and it's hard for me to do reliably. I can remember 7 non-random words that make some sense to me but it's not secure vs random words.
Try visualization like the final pane in the famous xkcd comic.
https://xkcd.com/936/
[deleted]
evalda seven nouns in order from your favourite song lyrics
[deleted]
Graphite that is pretty random by my standards. This was just an example. It could be any 7 words in order of your choice from any memorable text. Random enough?
- Edited
Any medium sized sentence will have higher entropy and be much easier to remember.
- Edited
Brute force would be trying everything within possibility, so entropy is a factor.
When a password or passphrase is user chosen (as opposed to random), Guessing can be done with just a bit of knowledge about the target. Things like age, gender, language, culture, sports, hobbies, music, movies, location, family, etc can narrow it down drastically.
Entropy at that point is meaningless.
I believe that randomness is an absolute.
Something can no more be “less random” than one can be “less pregnant”.
A whole world of mathematics awaits you. Pseudorandom is a real word for a real reason.
blicero dictionary attack is still a brute force
No. It's not. They are different concepts in security and password cracking. Entirely different modes for cracking tools.
Randomness and entropy are not just words to be interpreted subjectively. Confusing these terms is how you get weak security, and a false sense of security.
- Edited
Reposting XKCD: https://imgur.com/RvKyYRD
- Edited
Are you trying to post the link to XKCD that I've already posted?
You may be misreading the comic explanation. The bits of entropy that it's referring to, are entirely dependent on the words being chosen at random. Which is what I've been saying.
Random letters, numbers and symbols are within about 70 - 100 character set.
Random words in the English dictionary are the equivalent to a character set of thousands.
Which is why four words can have as good as the entropy of an eight character password.
But again, this entropy bit count is based on being randomly chosen from the set of possibilities.
If the user is choosing the words based on favorite song, book, common phrase, whatever... Then the entropy is meaningless. The attacker no longer has to brute force from the entire set of possibilities, rather the attack will be guessing from common phrases and what they know about the target.
Instead of each word being any word from the entire dictionary, it can be derived and deduced from the previous words and a number of factors. Instead of quadrillions of possibilities, now we have thousands.
For example, if the choice is a seven-word passphrase. A completely random diceware passphrase from a large English dictionary of say 3000 words, will have 30007 (2.187E24) possibilities.
But if the user is choosing the words, not at random, based on some personal preferences such as favorite song, movie quote, whatever.... We are talking about millions of possibilities. Far, far weaker and easy for a computer to go through.
We can simplify this further by thinking about PINs. A six-digit pin has a million possibilities. There's a reason why two-factor codes are randomized and rotated every 30 seconds.
Now imagine if there were no 30-second rotation and the user chose the numbers. They do it based on some important date or phone number. The attacker doesn't have to go through all possibilities but will take advantage of knowing basic information such as area codes, zip codes, birthdays or age of children, etc. Instead of a million possibilities it can be cracked in a few hundred most likely.