[Enigmail] Paste passphrase from clipboard into pinentry dialogbox

Doug Barton dougb at dougbarton.email
Sat Mar 28 20:09:15 CET 2015


On 3/28/15 11:57 AM, Daniel Kahn Gillmor wrote:
> If the only concern is leaving sensitive data in the clipboard after
> use, maybe pinentry could*accept*  pastes, but then also clear the
> clipboard after it was pasted into?

First, this discussion is moot because Werner won't change this.

Second, what you're describing isn't safe. Malware that watches the 
clipboard will still pick up what's pasted onto it, even if it gets 
cleared immediately after.

Finally, someone else already posted the right answer, a tool like 
Keepass can auto-type the password, bypassing the clipboard. It's also 
thought to be safe against key loggers, although there is some dispute 
on that topic.

I think that a case can be made for a better plan to be using a password 
that you can remember, and type. I would also argue that for most people 
there is no threat model that justifies a password so long that you 
can't remember or type it. :)

Doug

-- 
I am conducting an experiment in the efficacy of PGP/MIME signatures. 
This message should be signed. If it is not, or the signature does not 
validate, please let me know how you received this message (direct, or 
to a list) and the mail software you use. Thanks!


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <https://lists.enigmail.net/pipermail/enigmail-users_enigmail.net/attachments/20150328/f35fa8d6/attachment.sig>


More information about the enigmail-users mailing list