On 3/28/15 12:30 PM, Daniel Kahn Gillmor wrote:
[so much for following up on gpg-devel; i'm replying to enigmail because that's where this message went, even though i don't understand the reason to keep this non-enigmail discussion here]On Sat 2015-03-28 15:09:15 -0400, Doug Barton wrote:Finally, someone else already posted the right answer, a tool like Keepass can auto-type the password, bypassing the clipboard. It's also thought to be safe against key loggers, although there is some dispute on that topic.I quite like the Keepass approach. But it's not clear to me that this will work, at least for the versions of pinentry i've seen that grab the input devices (i'm seeing this on X11, at any rate). In this case, I don't think there is a way to trigger keepass to get it to type into the pinentry dialog.
Keepass has a way to specify the target window. But that method only works with certain types of dialogs. I just tried it with the Mac GPG Tools pinentry and it doesn't work. Of course there is no reason that the standard pinentry front ends couldn't be adjusted as needed.
What platforms as this approach been tested on?
Dunno. :)
I think that a case can be made for a better plan to be using a password that you can remember, and type. I would also argue that for most people there is no threat model that justifies a password so long that you can't remember or type it. :)I can sympathize with this sentiment. In general, i think users should keep a very small number of strong passphrases that they can remember and can type, and should use the main one of those passprhases to control a mechanized password store (like keepass) for all the rest of them. I suppose the underlying question is whether you think the user's OpenPGP passphrase is one of these strong passphrases that they should be able to remember, or whether you think it should be delegated to the mechanized password store.
Yes, I agree with you in principle, and I do think that the secret key password is one that should be typeable.
And FWIW, one of the virtues of a secure key store like Keepass is that you can keep passwords in it whether you want to auto-type them or not. So if you have a strong password for something that you don't type often, you can keep it there to prompt your memory.
Doug --I am conducting an experiment in the efficacy of PGP/MIME signatures. This message should be signed. If it is not, or the signature does not validate, please let me know how you received this message (direct, or to a list) and the mail software you use. Thanks!
signature.asc
Description: OpenPGP digital signature
_______________________________________________ enigmail-users mailing list enigmail-users@enigmail.net To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net