I'm an idiot: forgotten GPG passphrase

Since nobody was using my GPG key, this doesn't matter to anybody right now. However, it may be relevant to people wanting to send me encrypted email in the future. I forgot my GPG passphrase, so I generated a new one.

Lost key:

pub   1024D/AB00B807 2008-10-11
uid                   Graham Percival 
sub   2048g/2BAF95B3 2008-10-11

New, good, key:

pub   1024D/C352022F 2009-08-09 [expires: 2011-08-09]
uid                  Graham Percival 
sub   4096g/95D7E0AF 2009-08-09 [expires: 2011-08-09]

Such announcements should be met with extreme suspicion -- after all, if a Bad Guy can convince you to use a different key, without offering a signed revocation of the old key, that completely defeats even the most powerful encryption techniques. In an attempt to convince you that it's safe to trust this announcement, I'll make the following points:

I first realized that I couldn't remember the passphrase the first time I tried to use it -- last Spring, about half a year after generating it in the first place. This gap was the reason I forgot the passphrase in the first place... I don't have problems with things I use daily, but trying to remember a very complicated passphrase that I haven't used in six months is evidently beyond me.

I spent 4-5 hours over the next few days trying various phrases to no avail. I even tried running a cracking tool on the passphrase for a week... I still had my private key, after all. However, that didn't come up with anything. Admittedly, I was using a security researcher's "proof of concept" code. I spent fifteen minutes looking at it and managed to make it 10 times faster, which certainly gave credence to his "this is just to demonstrate how it would work, but it's not at all useful in practice".

Eventually I decided to wait until I returned to Vancouver from Singapore; perhaps it would come to me when I was sitting in my bedroom, surrounded by all the things that surrounded me when I first invented that passphrase. As it happened, I did remember part of it. At least, I think so. I'm pretty certain that I got that part right. However, I still couldn't remember the other part, so no go.

For the rest of the summer, I kept on putting off generating a new key, since I "might" remember it later. But today, one month before I leave for Glasgow, I figured enough was enough.

What does this mean? Well, I had uploaded my key to the public keyservers. Without the passphrase, I can't generate a revocation key. I suppose I could abandon my current public email address, but I'm reluctant to do so... even if I seriously put down roots in the UK, I'd still be a proud Canadian, so I'd still want to retain percival-music.ca.

So this means that anybody wanting to send me private emails in the future will find two gpg keys. To dispell that confusion, I'll need to point them at this post, reminding everybody that I'm an idiot. Ouch. My geek cred is certainly taking a beating over this mistake. :(

On the other hand, as far as "permenant mistakes" go, this is a pretty minor one. I mean, just compare it to all the other mistakes that people in their 20s do. I didn't get drunk and crash my car, I didn't get a girl pregnant (accidentally, I mean -- I guess it wouldn't be a mistake if it was planned), I didn't start doing drugs, I didn't cheat on any exams or papers.

I'm still an idiot, though.

Posted at 2009-08-09 19:31 | Permanent link | Comments
blog comments powered by Disqus

Recent posts

Monthly Archives

Yearly Archives


RSS