KeePass or any other password wallet to store and transport keys

antispam06 at sent.at antispam06 at sent.at
Wed Jul 25 14:29:32 CEST 2012



On Wed, Jul 25, 2012, at 03:23, Faramir wrote:
> El 22-07-2012 19:39, antispam06 at sent.at escribió:
> > On Sun, Jul 22, 2012, at 16:25, Doug Barton wrote:
> ...
> >> Your private key is encrypted, right? Use a strong password for
> >> that and you're in fine shape.
> > 
> > Yes, security through obscurity. A possible attacker won't know for
> > sure which key is the useful one without opening the keychain. Or
> > can he know?
> 
>   I don't know why do you say security through obscurity. Private keys
> can be stored encrypted, so even if somebody steal them, the thieve
> can't use them. That is security through encryption.

I keep the key on the same phisical drive as the encrypted document.
That's security through obscurity assuming the other one won't know
where to search for the key, which is not stored with the right
extension or in the most common place.

 
>   A hacker will know what key he needs to open a file, because the
> encrypted file say it, unless the sender selects hide recipient's key
> or something like that. By default, the file say the ID of the key
> required to decrypt it. But that is a different thing, and has nothing
> to do with storing the keyring inside a Keepass database.

So he or she will have to locate the right key. Reasonable would be to
keep the key away, at least on some removable media.

> > While we're at this one: the reason I am using KeePass is because I
> > have a hard time remembering one strong password. Having about 50
> > of them, a different one for each account, it's a true pain. But a
> > passphrase is something completely different. It's harder to type.
> > It employs far less characters. Yet it can be looong. How about
> > that? Is that any better? 45 ASCII lowercase with a uppercase ASCII
> > and a couple of signs is better than 16 random alphanumerics and
> > signs?
> 
>   I bet it is, as long as that 45 characters passphrase is not
> something that could be found on dictionaries, or combining dictionary
> words. But probably it is an overkill. Anyway, Keepass has a built in
> password strength estimator, measured in bits. I don't know what is
> the criteria to measure the strength, but I know it is not only based
> on the characters used, it also include the order used (once I was
> testing it, and swaped 2 characters, and the strength increased). If
> your password's strength is 128 bits or more, it won't be feasible to
> bruteforce it (probably the infeasible level is reached with less bits
> too, but I don't know where is the limit). Of course, if it is
> vulnerable to dictionary attacks, then you are toasted.

If only dictionary attacks would be the the problem than any longish
verse from a popular band could do it. Just add a comma in some weird
place and you have broken even the lyrics hacker.



More information about the Gnupg-users mailing list