[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

don't use passwords as private keys (was Re: Using a password as a private key.)

To: [email protected]
Subject: don't use passwords as private keys (was Re: Using a password as a private key.)
From: Adam Back <[email protected]>
Date: Thu, 29 Oct 1998 21:20:37 GMT
CC: [email protected], [email protected]
In-reply-to: <[email protected]> (message from BillStewart on Wed, 28 Oct 1998 01:21:29 -0800)
Sender: [email protected]



Some people have been talking about using passwords as private keys.
(By using the passphrase as seed material for regenerating the private
and public key).

I don't think this is a good idea.

You can't forget passphrases.  You can destroy private key files.

Therefore you open yourself up to coercion, and forward secrecy is not
possbile with these schemes.  This means it is less secure.

The other reason it is less secure others commented on: you provide an
open target for dictionary attacks.  I wouldn't want to do that, even
with high entropy passphrase, it loses one important line of defense:
unavailability of private key file.

Adam

References:
- Re: Using a password as a private key.
  - From: Bill Stewart <[email protected]>

Prev by Date: Re: don't use passwords as private keys (was Re: Using a password as a private key.)
Next by Date: Re: Random array (fwd)
Prev by thread: Re: Using a password as a private key.
Next by thread: Re: Using a password as a private key.
Index(es):
- Date
- Thread