How are salting and limits properties of passwords (but not passphrases)?
Sorry, what I meant is something more like like ‘encryption phrases’ and ‘challenge words’. Either context could in principle refer to a word or a phrase, actually. However, when you are encrypting secret data that needs to stay that way for the long term, such as your private PGP key, it is more important to pick something that can’t concievably be brute forced, hence the usage of the term ‘passphrase’ usually applies to that. If someone steals your hard drive or something, your private key will only stay private for as long as the passphrase you picked is hard to guess, and they could use that to decrypt any incoming messages that used your public key.
When you are simply specifying how to gain access to an online service, it is a bit less crucial to prevent the possibility of brute forcing (so a shorter ‘password’ is sort of okay), but it is crucial for the site owner to use things like salt and collision-resistant hash functions to prevent preimage attacks, in the event that the password-hash list is stolen. (Plaintext passwords should never be stored, but unsalted hashes are also bad.)
If someone was using a randomly generated phrase of 4+ words or so for their ‘password’, salt would be more or less unnecessary due to the extremely high probability that it is unique to begin with. This makes for one less thing you have to trust the site owner for (but then, you do still have to trust that they aren’t storing plaintext, that the hash they use is collision-resistant, etc).
I’m not sure if it is possible to use salt with something like PGP. I imagine the random private key is itself sufficient to make the encrypted key as a whole unique. Even if the passphrase itself were not unique, it would not be obvious that it isn’t until after it is cracked. The important thing to make it uncrackable is that it be long and equiprobable with lots of other possibilities (which incidentally tends to make it unique). Since the problem isn’t uniqueness to begin with, but rather the importance of it never being cracked even with lots of time and brute force, salt doesn’t do a lot of good.
Bitcoin private keys are bound to the number of bits of entropy stored in the public address, which I believe is 122 or so. Since the presence of coins at a public address is public information, brute force attacks should be expected to track the cost of computing power / the value of coins stored. It seems to be pretty good security for the near term, but Douglas_Knight predicts that quantum computers will break bitcoin. (Presumably later versions will be more robust against quantum computers, or something other than bitcoin will take dominance.)
In any case, while I have been calling the phrase used for a bitcoin brainwallet a ‘passphrase’, and it is more in that category than not (being important to protect from brute force, not having a salt, and not being part of a login sequence), note that it is unlike a PGP passphrase in that it represents the seed for the key in its entirety rather than something used to encrypt the key.
Sorry, what I meant is something more like like ‘encryption phrases’ and ‘challenge words’. Either context could in principle refer to a word or a phrase, actually. However, when you are encrypting secret data that needs to stay that way for the long term, such as your private PGP key, it is more important to pick something that can’t concievably be brute forced, hence the usage of the term ‘passphrase’ usually applies to that. If someone steals your hard drive or something, your private key will only stay private for as long as the passphrase you picked is hard to guess, and they could use that to decrypt any incoming messages that used your public key.
When you are simply specifying how to gain access to an online service, it is a bit less crucial to prevent the possibility of brute forcing (so a shorter ‘password’ is sort of okay), but it is crucial for the site owner to use things like salt and collision-resistant hash functions to prevent preimage attacks, in the event that the password-hash list is stolen. (Plaintext passwords should never be stored, but unsalted hashes are also bad.)
If someone was using a randomly generated phrase of 4+ words or so for their ‘password’, salt would be more or less unnecessary due to the extremely high probability that it is unique to begin with. This makes for one less thing you have to trust the site owner for (but then, you do still have to trust that they aren’t storing plaintext, that the hash they use is collision-resistant, etc).
I’m not sure if it is possible to use salt with something like PGP. I imagine the random private key is itself sufficient to make the encrypted key as a whole unique. Even if the passphrase itself were not unique, it would not be obvious that it isn’t until after it is cracked. The important thing to make it uncrackable is that it be long and equiprobable with lots of other possibilities (which incidentally tends to make it unique). Since the problem isn’t uniqueness to begin with, but rather the importance of it never being cracked even with lots of time and brute force, salt doesn’t do a lot of good.
Bitcoin private keys are bound to the number of bits of entropy stored in the public address, which I believe is 122 or so. Since the presence of coins at a public address is public information, brute force attacks should be expected to track the cost of computing power / the value of coins stored. It seems to be pretty good security for the near term, but Douglas_Knight predicts that quantum computers will break bitcoin. (Presumably later versions will be more robust against quantum computers, or something other than bitcoin will take dominance.)
In any case, while I have been calling the phrase used for a bitcoin brainwallet a ‘passphrase’, and it is more in that category than not (being important to protect from brute force, not having a salt, and not being part of a login sequence), note that it is unlike a PGP passphrase in that it represents the seed for the key in its entirety rather than something used to encrypt the key.
Disclaimer: I’m not an expert in crypto.