NULL passphrase. Secure?

Joseph Bruni
Mon May 19 06:39:02 2003

Hash: SHA1

Users are confronted with the need for passwords/passphrases 
everywhere, whether it is for dialing in to their ISP via PPP, 
accessing email, etc. The only time one needs to use a passphrase is 
for decrypting and for signing. Asking for a passphrase to decrypt an 
email is not asking too much, I think.

On the other hand, I do understand your position, however. I know that 
my mother's iMac is quite secure and the odds of someone stealing her 
secret key are close to nil. I think I'd have better odds at winning 
the Powerball. The worst case should someone steal her secret key would 
be that they could read the email I send her, since I'm the only person 
that sends her encrypted email.

I think a lot of this depends on each situation (and individual) and 
needs to be evaluated on a case-by-case basis. If the odds are higher 
that someone would forget their passphrase compared with the odds of 
having their secret key stolen, it might be more appropriate to leave 
the passphrase empty.

- -Joe

On Sunday, May 18, 2003, at 08:22 PM, Daniel Carrera wrote:

> Hi all,
> While we are on the topic of simplifying GPG for average users, I have 
> a
> question.  For the purposes of the average user, who doesn't really 
> have
> much to hide and need not worry about impersonation, how bad would it 
> be
> to have a null passphrase?
> A null passphrase means that all an attacker needs to do is obtain the
> private key from the victim's hard drive.  How difficult is that?  Is 
> it
> difficult enough that regular users can afford to not worry about it?
> Thanks.
> -- 
> Daniel Carrera         | OpenPGP fingerprint:
> Graduate TA, Math Dept | 9B32 660B 0557 7D7D 5892 0036 D591 4D05 2938 
> 1B7E
> UMD  (301) 405-5137    |
> <mime-attachment>
Version: GnuPG v1.2.2 (Darwin)