[Gpg4win-users-en] Copy-paste deactivated in Gpg4win 2.2.2
webmaster at privacydefence.org
Sun Sep 28 19:41:20 CEST 2014
Thanks for your comments. We have tested on Windows Vista, 7 and 8 with
the same result: Copy and paste does not work. This goes for Ctrl+c and
Ctrl+v as well.
We currently recommend Password Safe but I don't believe we have
actually tested it. It uses the copy-paste feature in Windows which
seems to be completely disabled, so I am convinced it will not work.
That's the problem I'd like to bring to attention.
On 28-09-2014 19:02, David Kronlid wrote:
> Remembering hundreds of passwords is to hard for me, so I use KeePass. I
> use KeePass 2 and have encountered a similar problem but not the same.
> KeePass's automatic entering of the password doesn't work with GPG4Win, and
> GPG's pinentry is the only software that I have ever encountered that
> blocks the automatic entry of passwords for some reason.
> However if I instead copy and paste to and from the clipboard it works. =
> Ctrl+c Ctrl+v works. But this method of transferring the password is less
> secure according to the KeePass website/help.
> I agree with Andre that there is a possibility to improve GPG4Win here, and
> that securing a compromised computer doesn't make too much sense and that
> an encrypted hard drive removes the problem with passwords getting saved in
> swap files. Of course it's good to stop an attacker every possible way we
> can, but not if it means that the passwords get too weak. However I also
> would like to know what password manager Andre uses, as copy and paste to
> and from the clipboard actually works for gpg4win. Are you using KeePass or
> another software? Is this software really using the clipboard (in a normal
> way)? I suspect that it doesn't use the clipboard in a normal way as that
> should work fine.
> On Linux it's different as KeePass 2 there only uses the clipboard instead
> of the other two offered methods that the KeePass creator claim to be more
> secure on Windows, and the normal clipboard usage works with the GPG
> pinentry on both Linux and Windows.
> Den 28 sep 2014 17:55 skrev "PrivacyDefence" <webmaster at privacydefence.org>:
>> Hi Andre
>> Thank you for your response. I really appreciate that you have taken the
>> time to comment on my email.
>> Quote: "Which pinentry program are you using?"
>> We provide point-and-click tutorials for encryption software such as
>> Gpg4win. In our testing we install the latest version of Mozilla
>> Thunderbird and then the corresponding version of Enigmail. Enigmail
>> then handles the installation of Gpg4win. The user will then have
>> whatever version of pinentry-qt4 is installed by default.
>> It's interesting that apparently there is a fix for the lacking ability
>> to copy and paste the password, thank you for mentioning that. We try
>> however to make our tutorials as simple to follow as possible, so these
>> tweaks would make a long tutorial even longer.
>> Quote: "If you just copy / paste it you defeat that and make it extremly
>> easy for other programs to grab the passphrase. .
>> E.g. if your clipboard contents are swapped to disk or if you hibernate
>> it will even be stored on the disk."
>> These are valid points, although only relevant if the computer should be
>> compromised. They are also the reason why you should encrypt your
>> harddisk and secure the computer against hacking. Having done that,
>> copying and pasting on your own computer should be the least of your
>> Also, if your computer is already compromised, the primary accident is
>> already done. Making it a bit more difficult for other programs to grab
>> your copied passwords will only give you a very minimal increase in
>> security. In fact, many would argue that the whole concept of securing a
>> computer that is already compromised is somewhat problematic.
>> I guess one could even come up with some specific threat landscapes
>> where copy and paste would be safer than typing the password manually.
>> Think "hardware keyloggers"...
>> Quote: "... We have enabled copy&paste for pinentry-qt some time last
>> year. So it should work."
>> This requires the tweaks you have mentioned, right? Because it does not
>> work when installing Gpg4win in the straightforward fashion that I
>> described above.
>> I do get the point about choosing sensible defaults for the users, and I
>> can only wish the whole industry will some day understand the importance
>> of that. Most users go with the default, period. So thank you for trying
>> to choose the right defaults in your software. But how about the point I
>> made, that when password managers can no longer be used, people are
>> forced to choose passwords that are weak enough that they can remember
>> them and type they in manually. Won't you agree that this weakens the
>> protection provided by the password?
>> Kind regards
>> Public key:
>> On 22-09-2014 10:38, Andre Heinecke wrote:
>>> On Wednesday, September 17, 2014 04:27:23 PM PrivacyDefence wrote:
>>>> Hi all
>>>> Apparently copy-paste has been disabled in the latest version of
>>>> Gpg4win. We have asked Enigmail about this and they believe it is an
>>>> issue with Gpg4win.
>>> Which pinentry program are you using? Copy and Paste is only enabled in
>>> pinentry-qt4 (you can rename pinentry-qt4.exe in your installation
>> folder to
>>> pinentry.exe to make sure it is used if you have not configured it in
>> your gpg-
>>> agent.conf otherwise)
>>>> Our post:
>>>> Their reply:
>>>> So is this a bug that will be fixed, or something done deliberately?
>>> Kind of. As said above, pasting the passphrase is enabled in
>> pinentry-qt4. The
>>> problem is that internally we jump through some hoops to ensure that the
>>> passphrase is stored in secure memory. If you just copy / paste it you
>>> that and make it extremly easy for other programs to grab the
>> passphrase. .
>>> E.g. if your clipboard contents are swapped to disk or if you hibernate
>>> will even be stored on the disk.
>>> So we advise against copy&pasting your passphrase.
>>>> I am hoping for an open debate about this, as I believe it lowers
>>>> security while also causing frustration for the users.
>>>> Please let me hear your thoughts.
>>> As I have written above due to many requests to have the possibility to
>>> this. (And ultimately we can only set sane defaults / recommend stuff)
>> We have
>>> enabled copy&paste for pinentry-qt some time last year.
>>> So it should work.
>>> Best Regards,
>> Gpg4win-users-en mailing list
>> Gpg4win-users-en at wald.intevation.org
More information about the Gpg4win-users-en