[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

don't use passwords as private keys (was Re: Using a password as a private key.)

Some people have been talking about using passwords as private keys.
(By using the passphrase as seed material for regenerating the private
and public key).

I don't think this is a good idea.

You can't forget passphrases.  You can destroy private key files.

Therefore you open yourself up to coercion, and forward secrecy is not
possbile with these schemes.  This means it is less secure.

The other reason it is less secure others commented on: you provide an
open target for dictionary attacks.  I wouldn't want to do that, even
with high entropy passphrase, it loses one important line of defense:
unavailability of private key file.