Here is all you need toknow about the password security of PGP private keys and PGP symmetric encryption. tl;dr: PGP uses outdated and insecure algorithms. If you have to use it, you must choose a super strong password to protect yourself from brute force attacks. 🧵👇 This thread is about password protection of PGP private keys (stored or exported), and about password protected PGP messages ("gpg -c"). It's not about the public key encryption of PGP messages. This is inspired by a news story about somebody sending a private PGP key by email.

Recent reports on the #OpenPGP #keyserver certificate poisoning attacks have focused on the SKS keyserver implemented in OCaml, which is basically a replicated, censor-resistant, append-only database for unverified key material. But what about #gnupg's role in the attack? /thread Historically, the PGP tool used the same OpenPGP data structure internally and externally: PGP Keys (public or secret) are a sequence of OpenPGP packets. First there is a signing key packet, then a user id packet, followed by a binding signature, and then web of trust signatures.