A password lesson learned

Since most hackers use PGP encryption keys to sign their mail to prove their identity, I decided that I probably should have an encryption key pair to sign my communications in hacker circles. So a few weeks back, while on Easter vacation, I found a nice guide describing the use of PGP (which stands for Pretty Good Privacy) and their Free Software alternative GPG (which is an acronym for GNU Privacy Guard), and created my own key pair.

The basic idea is that you have a public key which people can use to encrypt messages to you, and which only you can unlock by using your private key. Thus public and private keys fit together in pairs. One locks, the other unlocks. You use a passphrase to decrypt mail with your private key. The guide I used describes the passphrase thus:

A passphrase is like a password, but is longer, can contain spaces, and is supposed to be impossible to guess. Think of a passphrase as a super-password. Use a long sentence, or a line from one of your favorite songs, spaces and punctuation included. Oh, and if you ever forget your passphrase, there is NO way to get it back.

In order to encrypted mails to somebody else, you need their public key, and generally, most security-aware people on the net prefer to sign their emails with their key to casually prove their identity. These identities are trusted through a mechanism called a Web of Trust which depends on other people signing your key, assigning trust to the validity of your key and the identity that it represents (ie. you!).

All of this is pretty important stuff, since these keys can quickly come to represent your identity on the net – especially if you’re signing all you emails with it.

Anyway, I created a key pair in order to sign the Ubuntu Code of Conduct to show my good will towards the project I’m participating in. I managed as much, with a bit of trial and error, and was quite pleased with myself, having succeeded in creating my online signature.

Now, three weeks later, I realize to my horror, that I’ve forgotten my passphrase, having only used it once! I’ve spent a fair while trying to remember it but to no avail. It seems gone for good! Having carefully crafted a digital proof of my existence, I promptly manage to forget it!

And since I didn’t read the instructions that carefully, I didn’t make a Revocation Certificate, so now there that public key is irrevocably out there, since it is so secure that nobody else will be able to decrypt it!

I realize that this is the totally obvious newbie mistake to make, but there’s nothing to do but swallow my pride and try again. So this time, I’ve picked passphrase I can remember – honestly! – and will try out using it straight away. I’ve added my new key to my Launchpad account and this key (dated today, the 1st of May 2006) is the one that I’ll be using.

While this one, dated April 11th 2006, is less than useless. A classic case of the human element in computing being a little too weak.

This raises the interesting question of how we should save these passwords now safe-keeping so much of our correspondence and personal data. In the future, will biographers get access to – for instance – Salman Rushdie’s hotmail account? What happens to your passwords when you die?

Leave a Reply