Page MenuHome GnuPG

Use the term password instead of passphrase
Open, NormalPublic

Assigned To
Authored By
werner
Apr 13 2018, 1:55 PM
Tokens
"Like" token, awarded by Stoowea."Like" token, awarded by Sultec."Like" token, awarded by steve."Like" token, awarded by jcrben.

Description

Users seems to be be confused about the term "passphrase" because that is uncommon to them. Thus it is better to replace that by the common "password" and explain that this password my contain spaces.

For translations this can easily be done but for gnupg etc, this might requite quite some string chnages. I thus assign it a gpg23 tag.

Documentation needs to be updated as well.

Event Timeline

There has been some progress here. At least we no longer use "passphrase" in new code. We still have not yet replaced all old occurances.

To be realistic I expect 2.3 ~summer and this change to be deployed e.g. in Gpg4win in autumn this year.

Despite that I created this task, I am still not not convinced that removing the term passphrase is a good idea. If we do this in gnupg we would need to change all strings to make it clear that the passphrase is used to protect one's own key and has nothing to do with encryption etc. In fact the term PIN would be better because it is common knowledge that you use a PIN to get access to something you own. There would be less confusion on the purpose of the passphrase. Sure PIN is usually considered to be a number. However my bank allows a string to be used as, what they call, PIN.

So instead of replacing a well established term I propose not to use passphrases anymore; these should be considered expert things (gpg --expert) and experts should know for what the passphrase is actually used. Non-experts should be driven to use a token instead of a passphrase protected private key.

There is one place where passphrases are used and unfortunately that time to actually encrypt the communication (gpg -c). Replacing it here with password would be kind of okay iff we print a warning when that password does not consist of several words. A much better way would be to drop the term and request "Please enter the secret string which will protect your communication/data".

First of all I find PIN a very bad term. "Personal Identification Number" for example for my Gnuk token is confusing. I use a string there,... So let us use PIN only where it really has to be a number. Otherwise it is a Password.

Non-experts should be driven to use a token instead of a passphrase protected private key.

Agreed! But by policy and OpSec and not by our choice of words. Btw. We have to clarify the word "token" when we use it. It leads to confusion. Tokens for us are Hardware thingamagingies that contain / protect the secret key.

Anyhow. I'll have a look at the code to see where I think passphrase should be replaced and then we can talk about it concretely. Steve and my main issue is that it should be removed from the GUI (pinentry).

Users keep showing up in our support, confused by this inconsistency. This problem continues in 2020. What's holding this back?