GPG and Password / Internet Security

Wed, Jan 31, 2001 4-minute read

Quick Links:

If you have a password habit like most people, you probably reuse the same small set of passwords for all of your accounts – online or otherwise. To make matters worse, most (if not all) of your passwords come from the standard dictionary (English or otherwise.)

A note about password strength

Some passwords are easier than others to break. For example, the easiest way for hackers to break a password is to first run through the dictionary. If your password is in a dictionary, it _will_ be found in a few hundred thousand attempts. Of course, they automate the entire process – so a weak password could be broken in a few hours.

In general, the strongest password is a completely random one – one that hackers need to try every single character combination to crack.

Note: A long password is even better than a random one. “My favorite Dodger is any Dodger!” is a way stronger password than “FsFS8S+y&z*`z4{”.

Why is this such a strong system? Well, if your password is a single character, a hacker needs to run through every character in the “password alphabet” (basically all of the letters, numbers, and symbols) to crack your password. They can do this in about 80 tries.

For two letters, they already have to try (80*80 = 6400) combinations. Ie: aa, ab, ac, …, a+, ba, bb, bc, …, b+, and on. For an 8 character password, they have to try a not-worth-their-while (80^8 = 1677721600000000) combinations.

Of course, using the same strong password on several sites renders you completely vulnerable. After all, if a hacker steals the password database from a site, they know your password for all the other sites!

Generating strong passwords

I’ve written two password generation utilities to help you. For a web-based JavaScript generator, bookmark my Online Password Generator. Alternatively, download my Java Password Generator to create strong passwords locally. No matter which way you choose, make sure to change all of your weak passwords as soon as possible.

Although programs exist to help you manage all of your strong passwords, I personally feel uncomfortable with the idea that a single software program has control over all of my passwords. How can I feel sure that the designer of the program is ethical – that they will not embed some sort of back-door into their program to allow unauthorized access to my passwords?

A second (and more devistating) problem with these password-keepers is that their security algorithms are second-rate: they are usually proprietary and have not been scrutinized by the world’s cryptographic comminity.

Fortunately, you can keep a unique (and very secure) password for any situation without having to memorize (or write down) any of them.

GPG to the rescue

“Gnu Privacy Guard” (GPG) is a free implementation of the most popular personal encryption software in the world. It is a community project with its source code freely available, so we can depend on its longevity. In addition, its encrption algorithm is constantly scritinized by the world’s cryptographic comminity. On top of that, since its source code is freely available, nobody (including the government) can sneak back-doors into the program.

To create a secure pasword file, first download and install Windows Privacy Tray ( http://www.winpt.org/). Although its setup is slightly complex, over 7 million people have done it – so you can too. Note: when GPG asks, make sure to choose a password that is both strong and easy to remember.

Next, create a plain text file and put your existing passwords in it. For example:

My Passwords
------------
HotMail:	\*8\]y6g/h6\\
Bank:		##ep6KJphi
Word Documents:	apasswordihaventchangedyet

Next, use WinPT to encrypt the text – choose yourself as the recipient of the encryption. Your file should then have something like this in it:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.13

qANQR1DBwU4DCvEOP3P2HscQCAC1WEffP8p9FbVT02q/pixpOWMe7nyiMcJSqx9q
+DpiM84MTDActM9dBXJgwwnGRMYs0SYky2ZZKjoWbIh43rTVx2qIA50Bg0zNZVZ8
Qzmtxd2q88OCCzaGqN3GAEuFNebzhxgl9g4mxJoA2a5J3tME4kJry7oWFER97cJk
7kDTgPVFSM+V+uMX4vu4eKKFFlN8BLAEgJBw50CBdl3Qt3e3NtuVO4f+JbussDBb
Ok2Usw5slt2FDVC8H9tfATKqSZKohXOwlvMMosR58QipjHBn1A40AGZPGdSy7Rzl
UdmpidShjnz60HDQoSh2VvlKSammZju2mrslugwd3QUnCmmcCAC51VV4iruSzk8E
qw6iZ0QTCi8+Pve5B3oWREVGEiNRYNG8s1GBxRR3mVdBrlsnoNo6VH8JZDxJaIaz
KQ6DK6llM7Vkk4Qlg95ntsQjXGFgepXnLuXtgv1LKJz/F1NMm5P+/TxbV0vf1vf9
ZnL1ZY2guMWENw5fIIls8sLYEk+MErdCvkAgDIAXKzRE7Dk7lMa1ncbgkiZgURHO
S3Zy81LRc/1J+vDatddDT0J9AofZw0Cd1cxcqOZBNrk1Ia7cYBiyEMtFij9ovZXu
wx8AgM25l28gz5v1NrG7wXpXmZE5duUPYKV3IvmMAJsa5nhlD9cj72/UwFpjv7Xs
KHN7FYZ3yRcS7Mk5n8lZJCeKD+bgEsED1dwam8SNDg==
=h1A1
-----END PGP MESSAGE-----

Save it somewhere handy (your desktop or “My Documents” folder) and you’re set. Whenever you visit a site that requires a password, simply open the password file and decrypt it.

As a final note, you NEVER WANT TO LOOSE your PGP key or password file. You can find your keyring files in the main WinPT installation directory: the files (secring.gpg, pubring.gpg, and your password file) only take up a few hundred kilobytes, so back them up on floppy regularily. I simply cannot stress this enough.