[so much for following up on gpg-devel; i'm replying to enigmail because that's where this message went, even though i don't understand the reason to keep this non-enigmail discussion here]
On Sat 2015-03-28 15:09:15 -0400, Doug Barton wrote: > Finally, someone else already posted the right answer, a tool like > Keepass can auto-type the password, bypassing the clipboard. It's also > thought to be safe against key loggers, although there is some dispute > on that topic. I quite like the Keepass approach. But it's not clear to me that this will work, at least for the versions of pinentry i've seen that grab the input devices (i'm seeing this on X11, at any rate). In this case, I don't think there is a way to trigger keepass to get it to type into the pinentry dialog. What platforms as this approach been tested on? > I think that a case can be made for a better plan to be using a password > that you can remember, and type. I would also argue that for most people > there is no threat model that justifies a password so long that you > can't remember or type it. :) I can sympathize with this sentiment. In general, i think users should keep a very small number of strong passphrases that they can remember and can type, and should use the main one of those passprhases to control a mechanized password store (like keepass) for all the rest of them. I suppose the underlying question is whether you think the user's OpenPGP passphrase is one of these strong passphrases that they should be able to remember, or whether you think it should be delegated to the mechanized password store. --dkg _______________________________________________ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net