any way to use gpg(openpgp) with Argon2

Vincent Breitmoser look at my.amazin.horse
Thu Jun 21 02:01:23 CEST 2018


> I doubt that it will make it into rfc4880bis.  I also see no reason for
> it.  Passphrases must die.
> 
> I fact OpenPGP is mostly about public key encryption and thus we don't
> use passphrases for its main tasks.  Passphrases can be used to protect
> a private key but that is questionable because if you box is already
> compromised the passphrase does not help much.

YES. Thank you! I'm so glad to hear that.

Myself and others have been evangelizing this position for a while, and my
experience has been that when I ask people about their stance on passphrases,
the kneejerk virtue signalling answer is "why of *course* I only use super
strong passphrases! they are the weakest part of the system, after all". This is
so ingrained that people actually feel bad about even the thought of a weak
passphrase, let alone none at all.

And it's not surprising, given that this advice is virtually ubiquitous in the
numerous blog posts on how to set up gpg. The gpg man page also does its part,
right at the top:

"Use a *good* password for your user account and a *good* passphrase to protect
your secret key. This passphrase is the weakest part of the whole system."

I would very very much appreciate a blog post from you on this matter. It's
a nuanced matter, but just giving a general impulse here would help a lot.

 - V




More information about the Gnupg-devel mailing list