Protecting your private key - passphrase
Ingo Klöcker
kloecker at kde.org
Sun Dec 13 22:46:43 CET 2020
On Sonntag, 13. Dezember 2020 22:20:04 CET Stefan Claas via Gnupg-users wrote:
> I will release tomorrow, if time permits, the GUI based versions,
> on GitHUb, created with the help of the fyne toolkit.
I'm sorry, but in my opinion this is snake oil.
If you think that you can increase entropy ("randomness") by hashing a
passphrase a user came up with, then you should really take a basic course on
information theory.
If the user comes up with an easy-to-guess passphrase and runs it through your
program, then s:he will get a hashed easy-to-guess passphrase with a little
bit security-by-obscurity sugar on top. But this doesn't add any real
security. It only adds complexity (which often means less security; I mean you
are putting the passphrase on the clipboard from where it can be grabbed by
any other application) because now one needs to use two programs to decrypt
something. First your program to calculate the actual passphrase to feed into
gpg and then gpg to perform the actual decryption.
Why do you think you need "good random input for GnuPG"? GnuPG does have a
state-of-the-art key derivation function.
If people want to generate a secure random passphrase for gpg, then they
should use a secure password generator.
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20201213/da125c2e/attachment.sig>
More information about the Gnupg-users
mailing list