First of all, you have created three threads about it. When you reply to an email, you need to actually reply that mail. Just using the same subject does not make the email get into the thread (could you imagine the threads for emails title "Bug"?).
I am replying to the original thread, and glossing over points pentioned over several threads. > I don't know which of the many GPG packages throws up the passphrase window, > to know to which package a bug > report should be directed (if it is a bug). I might have thought > pinentry[*], but it is NOT one of the upgraded packages. > (I have pinentry-curses and pinentry-gnome3 (curiously, not pinentry-qt...), > at versions 1.1.0-3+b1) > > My QtPass is at version 1.3.2-1, and pass is at 1.7.3-2. > (My assumption is that QtPass is calling a GPG function that sometimes asks > for the passphrase, or that QtPass calls > a pass function that is calling a GPG function that sometimes asks for the > passphrase.) QtPass is a frontend for pass, which itself is a password manager based on gpg. So it's normal that a prompt for the underlying gpg key ends up appearing. > It then asks for it again, either after a certain number of minutes, > or after a certain number of password uses in QtPass. > > You may play with the agent ttl options on ~/.gnupg/gpg.conf so that it doesn't request it so often https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html#Agent-Options > Is this a bug, or a (security?) feature? It is a (somewhat annoying) feature. By grabbing the keyboard: a) it ensures that i don't accidentally type into another window when i think i'm typing in the prompter b) it keeps other X11 clients from sniffing the keyboard input -- dkg on Debian bug 930062 > > > I got tired of always having to bring up my file manager, and then opening > the file containing the passphrase, > and copy and pasting it into the passphrase field, each time GPG wanted the > passphrase. You shouldn't have the password for the password manager on a file along it. > > Secondly, I could write the passphrase down... I could write ALL my > passwords down, and then I would not need a password manager! > Not very practical. There is ONE passphrase you cannot keep stored in the password manager. That's the one that gives you access to the password manager itself.† You are having issues with that one passphrase. Writing down all your passwords as you propose would be equivalent to using your password manager with no password manager password (it may not be a good idea, but you *could* do that). > Thirdly, the password manager itself copies passwords to the > clipboard, to be pasted into input fields. > If using the clipboard is unsafe, then GPG would disallow its use in > password managers as well, would it not? It's not that the clipboard is unsafe‡ The problem with your flow is that you are copying the master password from an unsafe place. The reason for the master password is that, should anyone steal your files (either physically or remotely), they would not be able to get to the secrets stored on your password manager. Passwords should be either directly typed or copied from a password manager. If you copy that password from another file, the file from which you are copying it is the insecure part, not that you move it from that file through the clipboard. It would be the same issue if you had the text file open in the background and you typed it from there. Be careful what you wish for, btw. Some pinentries *do* block pasting from the clipboard. I had to type a gpg password that I had available on the password manager, when the system launched the wrong™ pinentry. ☹ > If one is supposed to have long, complicated, > difficult-to-remember-and-type passwords (which one cannot even > see when they are being entered!), then one HAS to use a clipboard to > get them from where they are stored into where they are needed, > and the passphrase is supposed to be even longer (since it unlocks > access to all the others). > Above you were arguing for writing down all your passwords in plain text, now you they need to be very difficult-to-remember-and-type passwords. Also, you have a few misconceptions: > long, complicated, difficult-to-remember-and-type passwords Passwords don't need to be “complicated to type”. The classic example would be 'Tr0ub4dor&3' vs 'correct horse battery staple' from https://xkcd.com/936/ The goal isn't that they are difficult to remember either. If I needed to set one, I would state it as ‘use an unique, random password for each realm’. Here 'random' just means «unpredictable». You could take your passwords from the telephone book. What you shall not use is the phone number of your Granny, since it'd be predictable that you used a number you already knew, such as the one a family member. Learning by heart a telephone number of a stranger you got by randomly opening it would work. ⁂ And memorizing it shouldn't be harder than memorizing any other phone number (smartphones made people lazy but it was common to know lots of numbers by heart). Remembering *lots* of passwords is what start making it hard, but remembering a few good passwords is not that difficult (and the password for your password manager is one key to remember). As for the password manager passphrase needing to be longer, that could be argued both ways. The protection provided by the password manager should not be weaker than that of any secret it guards. It doesn't mean that its strength should be the sum of that of everything it contains. On the other hand, what we need to amount is the protection it provides, which doesn't rest solely on the master password. You could take into account also the protection added by the password manager format itself, and the system it rests on, and so a 'weak' password could be considered enough. As usual, you should make your own risk analysis. ‡ Well, kind of. There are clipboard snooping attacks, where an application (or even a web page) retrieves clipboard contents that were not intended for them. Also, you will find that password managers like to clear the password from the clipboard after some seconds. † No need to remember the password website: Don't worry, I only need to (remember and provide) the password manager password, but before… I only need to (remember and provide) the system account password, but before… I only need to (remember and provide) the disk encryption password, but before… I only need to (remember and provide) the BIOS boot password, but before… I only need to (remember and provide) the system account password, but before… I only need to (remember and provide) the PIN on the door, but before… I only need to (remember and provide) the right word to the Cerberus relative that is guarding the garden, but before… I only need to (remember and provide) the right answer to the sphinx that is at the entrance of the city. It is very easy, you see, to provide the password at the website. No need to its password struggle to learn. It's now so simple to enter there. Wait!, it is asking me for a 2FA code to provide… _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users