Protecting your private key - passphrase
Robert J. Hansen
rjh at sixdemonbag.org
Mon Dec 14 12:26:42 CET 2020
> People who have difficulties to create a long passphrase and
> remembering those, when using differrent ones for different use cases.
Then why aren't you using PBKDF2 or Argon2?
If you're writing a key derivation app -- use a key derivation function.
> Had I used PBKDF2 for my litle program people would have a key which
> they need to store somewhere, while my program does not store keys,
What are you talking about? Here's the signature for PBKDF2 in Golang's
crypto library:
func Key(password []byte,
salt []byte,
iterations int,
keyLength int,
hashFunction func() hash.Hash) []byte
If you need to generate the same key again later, just feed in the same
inputs. You have nothing to keep track of so long as you remember the
passphrase.
> With that said would you say that when one inputs his password into an
> online form that it is equally secure than if one would use my program
> and use an easy to remember nonsense phrase which gets convert?
I'd advise people to use Firefox's password safe and ability to generate
pseudorandom keys for each site you visit. KeePassX is a good
open-source alternative for people who want to keep passwords on their
desktop machine instead of encrypted in the cloud.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x1DCBDC01B44427C7.asc
Type: application/pgp-keys
Size: 9919 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20201214/b9c93821/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20201214/b9c93821/attachment.sig>
More information about the Gnupg-users
mailing list