NULL passphrase. Secure?
Mon May 19 06:39:02 2003
-----BEGIN PGP SIGNED MESSAGE-----
Users are confronted with the need for passwords/passphrases
everywhere, whether it is for dialing in to their ISP via PPP,
accessing email, etc. The only time one needs to use a passphrase is
for decrypting and for signing. Asking for a passphrase to decrypt an
email is not asking too much, I think.
On the other hand, I do understand your position, however. I know that
my mother's iMac is quite secure and the odds of someone stealing her
secret key are close to nil. I think I'd have better odds at winning
the Powerball. The worst case should someone steal her secret key would
be that they could read the email I send her, since I'm the only person
that sends her encrypted email.
I think a lot of this depends on each situation (and individual) and
needs to be evaluated on a case-by-case basis. If the odds are higher
that someone would forget their passphrase compared with the odds of
having their secret key stolen, it might be more appropriate to leave
the passphrase empty.
On Sunday, May 18, 2003, at 08:22 PM, Daniel Carrera wrote:
> Hi all,
> While we are on the topic of simplifying GPG for average users, I have
> question. For the purposes of the average user, who doesn't really
> much to hide and need not worry about impersonation, how bad would it
> to have a null passphrase?
> A null passphrase means that all an attacker needs to do is obtain the
> private key from the victim's hard drive. How difficult is that? Is
> difficult enough that regular users can afford to not worry about it?
> Daniel Carrera | OpenPGP fingerprint:
> Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938
> UMD (301) 405-5137 | http://www.math.umd.edu/~dcarrera/pgp.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)
-----END PGP SIGNATURE-----