Protecting your private key - passphrase

Ingo Klöcker kloecker at kde.org
Sun Dec 13 22:46:43 CET 2020


On Sonntag, 13. Dezember 2020 22:20:04 CET Stefan Claas via Gnupg-users wrote:
> I will release tomorrow, if time permits, the GUI based versions,
> on GitHUb, created with the help of the fyne toolkit.

I'm sorry, but in my opinion this is snake oil.

If you think that you can increase entropy ("randomness") by hashing a 
passphrase a user came up with, then you should really take a basic course on 
information theory.

If the user comes up with an easy-to-guess passphrase and runs it through your 
program, then s:he will get a hashed easy-to-guess passphrase with a little 
bit security-by-obscurity sugar on top. But this doesn't add any real 
security. It only adds complexity (which often means less security; I mean you 
are putting the passphrase on the clipboard from where it can be grabbed by 
any other application) because now one needs to use two programs to decrypt 
something. First your program to calculate the actual passphrase to feed into 
gpg and then gpg to perform the actual decryption.

Why do you think you need "good random input for GnuPG"? GnuPG does have a 
state-of-the-art key derivation function.

If people want to generate a secure random passphrase for gpg, then they 
should use a secure password generator.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20201213/da125c2e/attachment.sig>


More information about the Gnupg-users mailing list