Tag Archives: pgp gpg password credentials

PGP means ‘Pretty Good Privacy’, and is a program for cryptography and authentication. In fact, the PGP cryptography is considered ‘military grade’, which means it’s (nearly?) impossible to break. There is no evidence yet anyone (persons, corporations, government) has broken PGP encryption. (this is a simplification, there are multiple versions, and there are vulnerabilities which have been found and resolved)

As an IT consultant, there is quite some stuff I get digital which is considered confidential. Just think a little while about it….accounts and passwords are obvious, but also quite frequently found in emails, text files, spreadsheets and software (scripts for maintenance jobs for example). But think further; the architecture of a website and technical details would be of tremendous help to someone who wants (to try to) access a website in a malicious way. Hostnames: found in all kinds of documentation and emails. All kinds of maintenance information: very common, but these reveal a tremendous amount of information.

So…why does almost anybody store all that stuff ‘open’ on their computer system? It’s something I thought about for some time.

The most obvious reason to me seems habit. Almost nobody encrypts any data, and people copy that behavior, simple because they are never taught to make a distinction between sensitive and normal data on their computer system, and encrypt the sensitive data. Another reason is knowledge. If you don’t know about the ability encrypt or sign messages (email) or data/files, it’s logical you don’t do that. Next reason is effort. Using cryptography takes more effort and time than doing without.

In fact, when you closely look at the security rules and regulations which you are subject to for your customer or customers, it’s probably forbidden to store credentials on your computer system. On the other hand, there is a fairly big chance you got credentials stored on your computer system somewhere. (and no: a password protected excel sheet is not considered encrypted. Office 2007 is rumored to be more secure, but password recovery is offered on the web). If you do not have it explicitly stored in a file (which would be highly unlikely, in my experience), there is a very big chance your mailbox has all kinds of credentials stored.

If this gets you thinking, or you want to start with PGP/encryption of sensitive data, read something about it:
Wikipedia page about PGP, or install or use some PGP implementation; linux uses a GNU implementation called GPG by default, there is a thunderbird implementation called enigmail, and for MAC and Windows there is a commercial (but very good) implementation called PGP desktop.

%d bloggers like this: