[Gpg4win-users-en] Copy-paste deactivated in Gpg4win 2.2.2

PrivacyDefence webmaster at privacydefence.org
Mon Sep 29 22:18:25 CEST 2014 

Hi Bernhard
We are certainly in the same boat here and I appreciate your comments
and questions. I'll reply as best I can.

Quote: “a) does the current pinentry-qt4 work for you, technically?”

I think it works as intended. That is, I can type in the chosen password
without any issues. But any sort of copy and paste is disabled, which
I'm sure will prevent password managers from working.
What I'm referring to here is what happens when we are testing our
tutorials. My own personal setup is a bit different, but that's beside
the point. Our goal is to make the encryption available for non-techies.

Quote: “b) [...] So what is the default with your tutorial/Enigmail?”

After installing Thunderbird and adding Enigmail, the Enigmail Setup
Wizard (previously called OpenPGP Setup Wizard) will launch. As part of
the wizard it is detected that Gpg4win is not installed (we always test
on clean virtual Windows clones), so it is then downloaded and
installed. We currently recommend to install Gpg4win with all default
setting except for one thing: We advocate to install “GnuPG” and nothing
else. However, we have also tried to go 100% default and install ALL the
components that are ticked off by default. The result is the same.

Note also that you can copy and paste your password when choosing it,
not knowing that it will not work later on. This is problematic! Imagine
you have chosen a 63 character password with all sorts of characters
mixed in randomly (if you use a password manager, why wouldn't you?).
It's gonna be a long night before you are able to TYPE such a password
correctly. Remember, you can't even check it your have typed correctly
before clicking ok. If you typed incorrectly, you won't know where you
made a mistake, and you simply have to start all over from the beginning
of the password.
Clearly, this makes no sense. At the very least the user should get a
warning, that although the password can be pasted when choosing it, it
will not work later on. That, or copy and paste should ALSO be disabled
when choosing the password.

Quote: “c) Is allowing a password paste and copy a good idea?”

I find it almost impossible to manage passwords in a secure way without
the use of a password manager. The human brain just isn't good at
remembering strong password. And with the growing number of online
places to log in these days, the number of different passwords we should
remember is simply unrealistic. It seems that most people have given up
and either have many different passwords that are all weak, or have one
strong password that is used for everything. Neither is ideal. Password
managers have their downsides too, but I find them to be the closest to
a solution we currently have come. That's why I recommend them. And for
what it's worth, so do Bruce Schneier. Quote:
“I've long recommended a password manager to solve the very real problem
that any password that can be easily remembered is vulnerable to a
dictionary attack. [...] I still recommend using a password manager,
simply because it allows you to choose longer and stronger passwords.”
https://www.schneier.com/blog/archives/2014/09/security_of_pas.html

Currently, Gpg4win prevents the use of password managers on Windows. If
you can change this, I believe it will benefit your users online safety.

---
Kind regards
Anders
www.PrivacyDefence.org

Public key:
www.privacydefence.org/?page_id=69





On 29-09-2014 09:44, Bernhard Reiter wrote:
> Hi,
> 
> thanks for trying to improve Gpg4win, we appreciate the discussion.
> 
> On Sunday 28 September 2014 at 17:55:12, PrivacyDefence wrote:
>> The user will then have
>> whatever version of pinentry-qt4 is installed by default.
>> It's interesting that apparently there is a fix for the lacking ability
>> to copy and paste the password, thank you for mentioning that. We try
>> however to make our tutorials as simple to follow as possible, so these
>> tweaks would make a long tutorial even longer.
> 
> There are several points here:
> a) does the current pinentry-qt4 work for you, technically?
> It should, so you could try and report it. This helps us to find defects.
> 
> b) What the default is and should be.
> The gpg4win installer offers some choice, because we have several applications
> that have the strength in different scenarios. So it is hard to provide a one 
> stop default that is good for everybody. pinentry-qt4 may even be the default 
> if you install Gpg4win as default with Kleoptra. So what is the default with 
> your tutorial/Enigmail?
> 
> c) Is allowing a password paste and copy a good idea?
> 
>> if your computer is already compromised, the primary accident is
>> already done. Making it a bit more difficult for other programs to grab
>> your copied passwords will only give you a very minimal increase in
>> security.
> 
> Defence in depth is a good idea in principle. 
> However I believe that user demand has shown that pinentries should have a 
> copy and paste issue. At least one option that people could enable.
> 
> Now we just need the work done to do this to all pinentries. ;)
> 
> Best Regards,
> Bernhard
> 
> 
> 
> 
> _______________________________________________
> Gpg4win-users-en mailing list
> Gpg4win-users-en at wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/gpg4win-users-en
>

More information about the Gpg4win-users-en mailing list