Confirmation for cached passphrases useful?
expires2010 at ymail.com
Thu Oct 14 23:58:25 CEST 2010
-----BEGIN PGP SIGNED MESSAGE-----
On Thursday 14 October 2010 at 3:18:47 PM, in
<mid:4CB71147.5090805 at fifthhorseman.net>, Daniel Kahn Gillmor wrote:
> This strikes me as the worst suggestion on this thread
> so far. Please, do not store the passphrase to your
> secret key in the clear in a file on your computer, and
> do not suggest that other people do so.
It was a non-serious suggestion of a simple, albeit obviously
insecure, way to overcome the two issues you mentioned in your
previous posting (about re-typing the passphrase each time the secret
key gets used being annoying and potentially insecure). As Dan Cowsill
points out, there are "password managers" available that allow the
user to copy/paste their passphrase in much the same way but store it
in an encrypted database.
> That's even
> worse than writing it on a post-it note and taping it
> to your monitor.
That would depend on your threat model...
MFPA mailto:expires2010 at ymail.com
Another person's secret is like another person's money:
you are not as careful with it as you are with your own
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users