top | item 8693527

Ask HN: Which websites use GPG public/secret keys for user password retrieving?

4 points| NaNaN | 11 years ago

I think email accounts are fragile because you must make sure both the client and the server are secure.

If you use GPG public/secret keys, then you don't need email for password retrieving any more. (and no email spams about that)

1. For registrations, upload your public key and use your secret key to verify that you own the public key. 2. Retrieve your user password is simple, too. The server encrypt some text with your public key, then you use the secret key to decrypt and submit the original text to verify.

Nowadays, more and more people use password managers to generate strong passwords. Why not use GPG? Is any website using GPG for password retrieving?

4 comments

rprospero|11 years ago

The problem with using GPG for password retrieval is that we're assuming that the user is irresponsible enough to lose their password, but responsible enough to maintain backups of their public and private key.

To put it differently, if you have gpg authentication available, why are you even bothering with a password in the first place?

NaNaN|11 years ago

The keys can be printed out on a paper. If you set a strong enough passphrase for the secret keys, you can upload them somewhere, too.

I should rarely use my special keys (or passphrases of the secret keys) so as to keep them safer. And simpler authentication is more efficient for normal web services. GPG authentication may not be fast enough.

valarauca1|11 years ago

GPG doesn't easily lend itself to be wrapped, or even used for that matter.

You are welcome to try.

hakanderyal|11 years ago

Tried to explain GPG, public/secret keys to non-tech guys. Not fun.

Something like that must be easy to use, and easy to understand to be used by the masses.