[Enigmail] Paste passphrase from clipboard into pinentry dialogbox
dougb at dougbarton.email
Sat Mar 28 20:51:45 CET 2015
On 3/28/15 12:30 PM, Daniel Kahn Gillmor wrote:
> [so much for following up on gpg-devel; i'm replying to enigmail because
> that's where this message went, even though i don't understand the
> reason to keep this non-enigmail discussion here]
> On Sat 2015-03-28 15:09:15 -0400, Doug Barton wrote:
>> Finally, someone else already posted the right answer, a tool like
>> Keepass can auto-type the password, bypassing the clipboard. It's also
>> thought to be safe against key loggers, although there is some dispute
>> on that topic.
> I quite like the Keepass approach.
> But it's not clear to me that this will work, at least for the versions
> of pinentry i've seen that grab the input devices (i'm seeing this on
> X11, at any rate). In this case, I don't think there is a way to
> trigger keepass to get it to type into the pinentry dialog.
Keepass has a way to specify the target window. But that method only
works with certain types of dialogs. I just tried it with the Mac GPG
Tools pinentry and it doesn't work. Of course there is no reason that
the standard pinentry front ends couldn't be adjusted as needed.
> What platforms as this approach been tested on?
>> I think that a case can be made for a better plan to be using a password
>> that you can remember, and type. I would also argue that for most people
>> there is no threat model that justifies a password so long that you
>> can't remember or type it. :)
> I can sympathize with this sentiment. In general, i think users should
> keep a very small number of strong passphrases that they can remember
> and can type, and should use the main one of those passprhases to
> control a mechanized password store (like keepass) for all the rest of
> I suppose the underlying question is whether you think the user's
> OpenPGP passphrase is one of these strong passphrases that they should
> be able to remember, or whether you think it should be delegated to the
> mechanized password store.
Yes, I agree with you in principle, and I do think that the secret key
password is one that should be typeable.
And FWIW, one of the virtues of a secure key store like Keepass is that
you can keep passwords in it whether you want to auto-type them or not.
So if you have a strong password for something that you don't type
often, you can keep it there to prompt your memory.
I am conducting an experiment in the efficacy of PGP/MIME signatures.
This message should be signed. If it is not, or the signature does not
validate, please let me know how you received this message (direct, or
to a list) and the mail software you use. Thanks!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 473 bytes
Desc: OpenPGP digital signature
More information about the enigmail-users