NULL passphrase. Secure?
Adrian 'Dagurashibanipal' von Bidder
Mon May 19 08:50:02 2003
Content-Description: signed data
On Monday 19 May 2003 05:22, Daniel Carrera wrote:
> A null passphrase means that all an attacker needs to do is obtain the
> private key from the victim's hard drive. How difficult is that? Is it
> difficult enough that regular users can afford to not worry about it?
As it is now, I'd say on a non-networked, non-telnettable etc. machine, the=
chances of anybody getting the private key is quite low.
As soon as a significant number of people start using convenience encryptio=
like that with some popular mailer, key theft will appear on the script=20
kiddie radar and some trojan will be modified to collect private keys. I ra=
the chance of this happening to almost 100%
Of course, AOL putting up big signs saying 'AOL will never ask for your=20
password' doesn't stop some people from sending their passwords to any=20
passing stranger, so even with password protected secret keys, there'll be=
some attack to reap keys+passphrases, so you can argue that using unprotect=
pricate keys does no greater damage...
"Eat, drink, and be merry, for tomorrow you may work."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/legal/gpg/email.20020822?version=1.4&md5sum=81630baabe9a0670bb19c1fa8527a7ab