A password, a passphrase, how about a passfile?

Peter Lebbing peter at digitalbrains.com
Wed Aug 29 12:12:00 CEST 2012

On 29/08/12 11:49, antispam06 at sent.at wrote:
> I felt offended by my own email: What is stopping PKI from growing. So I come
> with a question: some security apps like TrueCrypt and KeePass allow the user to
> use a keyfile instead of a password.

Note that your changing access to the key from what you know (passphrase) into
what you have (a file). That's quite a change that's often not what you want.

In two-factor authentication, you use both. A smartcard with a PIN is an
example. But depending on just "what you have"...

Other than that, the suitability of a file depends on how it is turned into
accessing the key (is it hashed?) and whether an attacker could just, for
instance, try downloading mp3's of songs they know you like and try them as
keys. Or take your private photo collection from a backup you left lingering
around and try all those photo's. If the attacker has a collection of files
which does contain the correct file, a computer should have no trouble at all
trying all those files in a very short time.

In short, it seems like a bad idea to me.


I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt

More information about the Gnupg-users mailing list