[svlug] Security & PGP: "Why Johnny Can't encrypt"

Rick Moen rick at linuxmafia.com
Sat Jan 31 19:59:52 PST 2015


Quoting Jesse Monroy (jesse650 at gmail.com):

> From the abstract:
> """
> We conclude that PGP 5.0 is not usable enough to provide effective
> security for most computer users, despite its attractive graphical
> user interface, supporting our hypothesis that user interface design
> for effective security remains an open problem.

(Dusty nature of this article noted in passing, and also mentioned by
Michael Eager.)

Unpalatable as use of PGP has always been for the vast bulk of computer
users, GNU Privacy Guard (gpg, gnupg), the flagship implementation of the
OpenPGP crypto standard, is markedly worse in that area.

gpg is my poster child for Awful Command Line Interface, and Cryptic
Even with Wrapper Scripts.

> As a gentle reminder, when I as at HP - working in shipping/receiving
> - it was considered good practice to keep the password under the
> keyboard - if not taped to the bottom of the keyboard. 

Depending on particulars, this can be a perfectly reasonable compromise.
If the physical location where you leave your password PostIts is
access-controlled, the threat model of those passwords getting
misappropriated might be a very minor risk -- and even less so if your
PostIts carefully omit identifying what each password is _for_.




More information about the svlug mailing list