Several articles on the PGP-users mailing list have discussed keystroke snarfers that unexpectedly grab and save keystrokes, including passwords, severely weakening any benefits from encryption. taoboy <taoboy@sprynet.com> mentioned Mac programs FileGuard and HiddenOasis and the SpellCatcher spell-check program's Ghostwriter feature, which he'd noticed had stuck his password into a disk file; he suggests that Windows machines probably have similar surprises. From: patm@connix.com (Pat McCotter)
Which is why, every once in a while, I do a search of my entire disk for my PGP pass phrase and various other passwords I use. [....] I do this with Norton DiskEditor. I have to upgrade to do this on my Win95 machine which I understand is much worse than Win3.x in this area.
Be careful - PGP goes to a lot of effort to overwrite your passphrase when it's done using it; Norton or grep or other disk-crawlers are unlikely to do so, because that sort of paranoia's not part of their job, and simply typing in a command in a command window will often get it saved in a command history file. So your search for the passphrase on disk makes it _more_ likely that some program will stash it on your disk... You could work around this by using a complex passphrase and adding a distinctive word to the end, e.g. "mumblefrotz foobaroid zarquon FINDTHIS", which doesn't become much less secure if the FINDTHIS gets left on the disk from your "grepemall FINDTHIS c:" command. # Thanks; Bill # Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com # You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp # (If this is a mailing list, please Cc: me on replies. Thanks.)