[Gpg4win-users-en] Password security issue in Windows PowerShell

Matthew Orlando maorlando at gmail.com
Tue Nov 22 03:27:05 CET 2016



On 11/20/2016 11:44 PM, Thomas Arendsen Hein wrote:
> * Matthew Orlando <maorlando at gmail.com> [20161116 21:14]:
>>     You need a passphrase to unlock the secret key for
>>     user: "Matthew Orlando <maorlando at gmail.com>"
>>     2048-bit RSA key, ID 5EE7763D, created 2016-09-30 (main key ID BAA8DA4C)
>>     _
>>
>> By all appearances, blinking cursor included, it looks like it's asking
>> you to enter the password on the console.
> What would be your preferred solution?
>
> My first idea would be something similar to what I have seen on some
> ATMs or ticket machines: When the PIN needs to be entered on a
> separate PIN pad, the main/touch screen shows something like: "Enter
> your PIN on the numeric pad"
>
> Regards,
> Thomas

My preferred solution would be to disable console input while awaiting
pinentry. This seems to be what happens in Linux.

An improved message might reduce the frequency, but it would still look
like a password prompt at a glance. And since you'd have to change the
message depending on the pinentry program in use, it would be less
automation-friendly (pinentry-tty would do the right thing in this case,
but is less secure).

Another related issue is that the first time I run gpg after a reboot,
it takes a good 5 seconds for the pinentry program to appear (on a core
i7 6700k with a 500MB/s SSD). On subsequent runs the delay is
imperceptible between the message appearing and the pinentry window
appearing. Fixing first run load times would definitely help.

Cheers,

Matthew

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20161121/b13e192d/attachment.sig>


More information about the Gpg4win-users-en mailing list