Lost passphrase

Robert J. Hansen rjh at sixdemonbag.org
Wed Apr 18 06:59:01 CEST 2007


> I have read what everybody has said on the subject and one
> thing needs to be said again.  THE DEFAULT EXPIRE FOR A NEW
> KEY NEEDS TO BE FOR TWO YEARS FROM DATE OF KEY CREATION!

That's making some really big assumptions about the security policy  
of the person making the key.

There are also a lot of perfectly good alternatives which should  
perhaps be excluded first.

Also, a two-year expiration date will do very little to help people  
who forget their passphrases within a few weeks of creating keys.   
Once you remember the passphrase for a few weeks, it'll be in your  
head forever.

> For that matter, I think the pressure to shove their keys
> on to key-servers immediately just needs to be dropped.

A key which cannot be found is a liability, not an asset.  The  
keyservers exist to be used.

> Increasing computing power alone have made such things as
> DES almost laughable now.  Keys shouldn't be made with the
> idea that they can last forever.

There are two responses to this, both of which are factually accurate:

1.  We are unlikely to ever be able to brute-force a 256-bit  
keyspace.  Ever.  Not until computers are made of something other  
than matter, occupy something other than space, run on something  
other than energy, according to rules other than physics.

2.  This is a reason to advocate forethought when generating keys,  
not a reason to advocate just one method of solving the problem.





More information about the Gnupg-users mailing list