[Gpg4win-users-en] Password security issue in Windows PowerShell

Matthew Orlando maorlando at gmail.com
Wed Nov 16 21:14:11 CET 2016 

Hi all,

Not sure whether this is a gpg4win thing or a gpg thing, but it only
happens to me on Windows.

TL;DR: In PowerShell, gpg can easily trick the user into revealing their
password in plaintext. Let me know where the best place to report this
would be.

When you issue a gpg command with default settings, the following
message is displayed:

    You need a passphrase to unlock the secret key for
    user: "Matthew Orlando <maorlando at gmail.com>"
    2048-bit RSA key, ID 5EE7763D, created 2016-09-30 (main key ID BAA8DA4C)
    _

By all appearances, blinking cursor included, it looks like it's asking
you to enter the password on the console. I entered my password. A
couple seconds later, the GUI password agent pops up. I entered the
password there, and my git commit finished.

Followed by:

    C:\Users\me> mypassword
    mypassword : The term 'mypassword' is not recognized as the name of
    a cmdlet, function, script file, or operableprogram. Check the
    spelling of the name, or if a path was included, verify that the
    path is correct and try again.
    At line:1 char:1
    + mypassword
    + ~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (mypassword:String)
    [], CommandNotFoundException
        + FullyQualifiedErrorId : CommandNotFoundException

Great. Now my password has been printed FIVE times in my console window
and has to be wiped from my powershell command history. As a new
powershell user, it took a few minutes of googling to learn how. All the
while it's sitting there in command history available to any process
with my credentials.

Even after experiencing this once or twice, the reaction to "password
needed: cursor" is deeply ingrained and I keep doing it, or catching
myself halfway. I'm pretty sure this is a case where I can rightly blame
the tool.

If I had been using another program that reads from stdin, it would have
received my password as input. I verified this with gpg --clearsign.

I decided to disable history across sessions entirely to defend against
this, but it's a pretty big loss of convenience, and really isn't
something that users should have to protect against.

Cheers,

Cog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20161116/d433d507/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20161116/d433d507/attachment.sig>

More information about the Gpg4win-users-en mailing list