[Gpg4win-users-en] Copy-paste deactivated in Gpg4win 2.2.2

[David Kronlid]

Remembering hundreds of passwords is to hard for me, so I use KeePass. I
use KeePass 2 and have encountered a similar problem but not the same.
KeePass's automatic entering of the password doesn't work with GPG4Win, and
GPG's pinentry is the only software that I have ever encountered that
blocks the automatic entry of passwords for some reason.

However if I instead copy and paste to and from the clipboard it works. =
Ctrl+c Ctrl+v works. But this method of transferring the password is less
secure according to the KeePass website/help.

I agree with Andre that there is a possibility to improve GPG4Win here, and
that securing a compromised computer doesn't make too much sense and that
an encrypted hard drive removes the problem with passwords getting saved in
swap files. Of course it's good to stop an attacker every possible way we
can, but not if it means that the passwords get too weak. However I also
would like to know what password manager Andre uses, as copy and paste to
and from the clipboard actually works for gpg4win. Are you using KeePass or
another software? Is this software really using the clipboard (in a normal
way)? I suspect that it doesn't use the clipboard in a normal way as that
should work fine.

On Linux it's different as KeePass 2 there only uses the clipboard instead
of the other two offered methods that the KeePass creator claim to be more
secure on Windows, and the normal clipboard usage works with the GPG
pinentry on both Linux and Windows.

/David
Den 28 sep 2014 17:55 skrev "PrivacyDefence" <webmaster at privacydefence.org>:

> Hi Andre
> Thank you for your response. I really appreciate that you have taken the
> time to comment on my email.
>
> Quote: "Which pinentry program are you using?"
>
> We provide point-and-click tutorials for encryption software such as
> Gpg4win. In our testing we install the latest version of Mozilla
> Thunderbird and then the corresponding version of Enigmail. Enigmail
> then handles the installation of Gpg4win. The user will then have
> whatever version of pinentry-qt4 is installed by default.
> It's interesting that apparently there is a fix for the lacking ability
> to copy and paste the password, thank you for mentioning that. We try
> however to make our tutorials as simple to follow as possible, so these
> tweaks would make a long tutorial even longer.
>
> Quote: "If you just copy / paste it you defeat that and make it extremly
> easy for other programs to grab the passphrase. .
> E.g. if your clipboard contents are swapped to disk or if you hibernate
> it will even be stored on the disk."
>
> These are valid points, although only relevant if the computer should be
> compromised. They are also the reason why you should encrypt your
> harddisk and secure the computer against hacking. Having done that,
> copying and pasting on your own computer should be the least of your
> worries.
> Also, if your computer is already compromised, the primary accident is
> already done. Making it a bit more difficult for other programs to grab
> your copied passwords will only give you a very minimal increase in
> security. In fact, many would argue that the whole concept of securing a
> computer that is already compromised is somewhat problematic.
> I guess one could even come up with some specific threat landscapes
> where copy and paste would be safer than typing the password manually.
> Think "hardware keyloggers"...
>
> Quote: "... We have enabled copy&paste for pinentry-qt some time last
> year. So it should work."
>
> This requires the tweaks you have mentioned, right? Because it does not
> work when installing Gpg4win in the straightforward fashion that I
> described above.
>
> I do get the point about choosing sensible defaults for the users, and I
> can only wish the whole industry will some day understand the importance
> of that. Most users go with the default, period. So thank you for trying
> to choose the right defaults in your software. But how about the point I
> made, that when password managers can no longer be used, people are
> forced to choose passwords that are weak enough that they can remember
> them and type they in manually. Won't you agree that this weakens the
> protection provided by the password?
>
> ---
> Kind regards
> Anders
> www.PrivacyDefence.org
>
> Public key:
> www.privacydefence.org/?page_id=69
>
>
>
>
> On 22-09-2014 10:38, Andre Heinecke wrote:
> > Hi,
> >
> > On Wednesday, September 17, 2014 04:27:23 PM PrivacyDefence wrote:
> >> Hi all
> >> Apparently copy-paste has been disabled in the latest version of
> >> Gpg4win. We have asked Enigmail about this and they believe it is an
> >> issue with Gpg4win.
> >
> > Which pinentry program are you using?  Copy and Paste is only enabled in
> > pinentry-qt4 (you can rename pinentry-qt4.exe in your installation
> folder to
> > pinentry.exe to make sure it is used if you have not configured it in
> your gpg-
> > agent.conf otherwise)
> >>
> >> Our post:
> >>
> https://lists.enigmail.net/pipermail/enigmail-users_enigmail.net/2014-Septem
> >> ber/002055.html
> >>
> >> Their reply:
> >>
> https://lists.enigmail.net/pipermail/enigmail-users_enigmail.net/2014-Septem
> >> ber/002056.html
> >>
> >> So is this a bug that will be fixed, or something done deliberately?
> >
> > Kind of. As said above, pasting the passphrase is enabled in
> pinentry-qt4. The
> > problem is that internally we jump through some hoops to ensure that the
> > passphrase is stored in secure memory. If you just copy / paste it you
> defeat
> > that and make it extremly easy for other programs to grab the
> passphrase. .
> > E.g. if your clipboard contents are swapped to disk or if you hibernate
> it
> > will even be stored on the disk.
> >
> > So we advise against copy&pasting your passphrase.
> >
> >> I am hoping for an open debate about this, as I believe it lowers
> >> security while also causing frustration for the users.
> >>
> >> Please let me hear your thoughts.
> >
> > As I have written above due to many requests to have the possibility to
> do
> > this. (And ultimately we can only set sane defaults / recommend stuff)
> We have
> > enabled copy&paste for pinentry-qt some time last year.
> >
> > So it should work.
> >
> > Best Regards,
> > Andre
> >
> _______________________________________________
> Gpg4win-users-en mailing list
> Gpg4win-users-en at wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/gpg4win-users-en
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20140928/1ba6aa6a/attachment.html>