Exposed Password for my Public Key

I sign all of my email messages using public key cryptography, specifically GNU Privacy Guard using Enigmail for the Mozilla Thunderbird email client. This morning, while attempting to send an email to a friend of mine, I accidentally broadcast the password to my private key into a chat room. The list of dumb things I’ve done in my life grows that much longer. While this sucked, and I had to go change the passwords on my keys, it does highlight one of the reasons public keys are so awesome.

Imagine I had been using password authentication. Suddenly, as soon as my password was known, everything that password was used to secure is suddenly compromised: forged email would be possible, or my server might be compromised, or dogs and cats would suddenly become friendly. In short, it would have been disasterous.

In a public key setup, though, the password isn’t actually used to do anything. Instead, it is used to simply scramble the key that is used to do everything; and that key remained safely hidden on my computer. It’s really hard to accidentally broadcast your key, since you never actually touch it yourself. The password is meant to merely be a last-ditch safeguard to buy you some time if your private keyring would happen to fall into the wrong hands. The key is the truly valuable information, and the password is useless without it. Now, after setting up a new password on my key, the old password is useless, and the integrity has been protected.

So what did we learn today? That’s right: public key cryptography is a Good Thing.

On a side note, this whole thing made me realize I hadn’t created a page to distribute my PGP key from this site. So I have done so, and you will notice a new menu item at the top leading to my PGP Key.