Joe "slightly crypto-savvy pgp user" sixpack keeps his pgp keyring in c:\pgp on a dos/w95 box. The average user of any of the unices keeps his keyring in /usr/pgp or /usr/local/pgp it does not take a lot of attempts to go through most of the common places.
The very same guy probably has a password that is:
[Dictionary attack on wimpy passphrases ]
With PGP 2.0 ... 4.0 secret keyring files, there's another attack. (I don't know if PGP 5.0 files have this problem or not.) You can't get the secret key itself from the password file without cracking the IDEA password (or algorithm), but the user-name is in cleartext. Joe Sixpack <jr6@aol.com> 0x98458509834295834098589... Joe Sixpack <purchasing@work.com> 0x34543905843f90853490545... Jane Doe #2 <janedoe2@nym.alias.net> 0x2d0e2d0e231415926535487... Lone Ranger <maskedman@dopedeal.com> 0x23dead5beef890832455345... TruthMunger <medusa@blacknet.gov> 0x27182818284590459024090... Arms Buyer <getguns@freeburma.org> 0x08908024308732049872390... If you've got pseudonyms as well as your real name, they show; you've got all the usual risks of traffic analysis, outing, etc. and your secret identity is toast. For most people, it's not a big risk, but if you really _do_ need to keep your pseudonym untraceable, this lets it leak out of your encrypted hard disk, which would be Bad. Publius