4 The passphrase | Contents |
As we have seen in the last chapter, the private key is one of the most important components of the "public key" or asymmetric encryption method. While one no longer needs to exchange the key with another party in secret, the security of this key is nevertheless the "key" to the security of the "entire" encryption process.
On a technical level, a private key is nothing more than a file which is stored on your computer. To prevent unauthorised access of this file, it is secured in two ways:
First, no other user may read or write in the file - which is difficult to warrant, since computer administrators always have access to all files, and the computer may be lost or attacked by viruses, worms or Trojans .
For this reason we need another layer of protection: the passphrase. This is not a password - a passphrase should not consist of only one word, but a sentence, for example. You really should keep this passphrase "in your head" and never have to write it down.
At the same time, it cannot be possible to guess it. This may sound contradictory, but it is not. There are several proven methods of finding very unique and easy to remember passphrases, which cannot be easily guessed.
Think of a phrase that is very familiar to you, e.g.:
People in glass houses should not be throwing stones.
Now, take every third letter of this sentence:
oegsoehloerisn
(People in
glass houses
should not be
throwing stones.)
While it may not be easy to remember this sequence of letters, it is also unlikely that you will forget how to arrive at the passphrase it as long as you remember the original sentence. Over time, and the more often you use the phrase, you will commit it to memory. No one else can guess the passphrase.
Think of an event that you know you will never forget about. Maybe it's a phrase that you will always associate with your child or partner, i.e. it has become "unforgettable". Or a holiday memory or a line of text of a song that is personally important to you.
Use capital and small letters, numbers, special characters and spaces, in any order. In principle, anything goes, including umlaute, special characters, digits etc. But remember - if you want to use your secret key abroad at a different computer, please remember that not all keyboards may have such special characters. For example, you will likely only find umlaute (ä, ö, ü usw.) on German keyboards.
You can also make intentional grammar mistakes, e.g. "mustake" instead of "mistake". Of course you also have to be able to remember these "mustakes". Or, change languages in the middle of the phrase. You can change the sentence:
In München steht ein Hofbräuhaus.
into this passphrase:
inMinschen stet 1h0f breuhome
Think of a sentence that does not make sense, but you can still remember e.g.:
The expert lamenting nuclear homes
Knitting an accordeon, even during storms.
A passphrase of this length provides good protection for your secret key.
It can also be shorter if you use capital letters, for example:
THe ExPERt laMenTIng NuclEAr hoMES.
While the passphrase is now shorter, it is also more difficult to remember. If you make your passphrase even shorter by using special characters, you will save some time entering the passphrase, but it is also morr likely that you will forget your passphrase.
Here is an extreme example of a very short but also very secure passphrase:
R!Qw"s,UIb *7\$
However, in practice, such sequences of characters have not proven themselves to be very useful, since there are simply too few clues by which to remember them.
A bad passphrase can be "broken" very quickly, if it ...
When composing your passphrase, please do not use any of the aforementioned examples. Because anyone seriously interested in getting his hands on your passphrase will naturally see if you used one of these examples.
Be creative! Think of a passphrase now! Unforgettable and unbreakable.
In Chapter 7 you will need this passphrase to create your key pair.
But until then, you have to address another problem: Someone has to verify that the person that wants to send you a secret message is real.
© 31. August 2010, v3.0.0-beta1 (last minor changes from 21. September 2010)
The Gpg4win Compendium is filed under the
GNU Free Documentation License v1.2.
4 The passphrase | Contents |