Use a low entropy things (I guess user's password would be not larger than 20 characters nowadays even using password managers) to encrypt a high entropy strings (PGP key).
We derive a (key-encryption-)key from the password using a password hashing function / key derivation function (bcrypt, although we're planning to switch to Argon2) before using it to encrypt the PGP key. This is fairly standard practice, it's what password hashing / key derivation functions are designed for.
The crypto refresh of the OpenPGP standard also has Argon2 built-in, exactly for this purpose, so that you don't have to do it manually. (RFC4880 also has "string-to-key" functions built-in but they are fairly weak so we don't rely solely on them.)
All of that being said, it's still important to choose a strong password or passphrase, of course; if you choose "123" then it's gonna be guessed instantly no matter how strong the hashing function is (well, unless it's so strong that even logging in becomes too expensive...)
The main goal of password hashing functions is to tip the balance towards making it too expensive for an attacker to guess your password (as long as it has let's say "medium entropy") while still making it cheap to log in.
twiss|2 years ago
The crypto refresh of the OpenPGP standard also has Argon2 built-in, exactly for this purpose, so that you don't have to do it manually. (RFC4880 also has "string-to-key" functions built-in but they are fairly weak so we don't rely solely on them.)
All of that being said, it's still important to choose a strong password or passphrase, of course; if you choose "123" then it's gonna be guessed instantly no matter how strong the hashing function is (well, unless it's so strong that even logging in becomes too expensive...) The main goal of password hashing functions is to tip the balance towards making it too expensive for an attacker to guess your password (as long as it has let's say "medium entropy") while still making it cheap to log in.