[Enigmail] Paste passphrase from clipboard into pinentry dialogbox

Doug Barton dougb at dougbarton.email
Sat Mar 28 20:51:45 CET 2015


On 3/28/15 12:30 PM, Daniel Kahn Gillmor wrote:
> [so much for following up on gpg-devel; i'm replying to enigmail because
> that's where this message went, even though i don't understand the
> reason to keep this non-enigmail discussion here]
>
> On Sat 2015-03-28 15:09:15 -0400, Doug Barton wrote:
>> Finally, someone else already posted the right answer, a tool like
>> Keepass can auto-type the password, bypassing the clipboard. It's also
>> thought to be safe against key loggers, although there is some dispute
>> on that topic.
>
> I quite like the Keepass approach.
>
> But it's not clear to me that this will work, at least for the versions
> of pinentry i've seen that grab the input devices (i'm seeing this on
> X11, at any rate).  In this case, I don't think there is a way to
> trigger keepass to get it to type into the pinentry dialog.

Keepass has a way to specify the target window. But that method only 
works with certain types of dialogs. I just tried it with the Mac GPG 
Tools pinentry and it doesn't work. Of course there is no reason that 
the standard pinentry front ends couldn't be adjusted as needed.

> What platforms as this approach been tested on?

Dunno. :)

>> I think that a case can be made for a better plan to be using a password
>> that you can remember, and type. I would also argue that for most people
>> there is no threat model that justifies a password so long that you
>> can't remember or type it. :)
>
> I can sympathize with this sentiment.  In general, i think users should
> keep a very small number of strong passphrases that they can remember
> and can type, and should use the main one of those passprhases to
> control a mechanized password store (like keepass) for all the rest of
> them.
>
> I suppose the underlying question is whether you think the user's
> OpenPGP passphrase is one of these strong passphrases that they should
> be able to remember, or whether you think it should be delegated to the
> mechanized password store.

Yes, I agree with you in principle, and I do think that the secret key 
password is one that should be typeable.

And FWIW, one of the virtues of a secure key store like Keepass is that 
you can keep passwords in it whether you want to auto-type them or not. 
So if you have a strong password for something that you don't type 
often, you can keep it there to prompt your memory.

Doug

-- 
I am conducting an experiment in the efficacy of PGP/MIME signatures. 
This message should be signed. If it is not, or the signature does not 
validate, please let me know how you received this message (direct, or 
to a list) and the mail software you use. Thanks!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <https://lists.enigmail.net/pipermail/enigmail-users_enigmail.net/attachments/20150328/92db8761/attachment.sig>


More information about the enigmail-users mailing list