[prev in list] [next in list] [prev in thread] [next in thread]
List: gpg4win-users-en
Subject: Re: [Gpg4win-users-en] Password security issue in Windows PowerShell
From: Matthew Orlando <maorlando () gmail ! com>
Date: 2016-11-22 2:27:05
Message-ID: 7360e60c-00fa-8d37-d7d1-51d03b6c2f8f () gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
[Attachment #4 (multipart/mixed)]
On 11/20/2016 11:44 PM, Thomas Arendsen Hein wrote:
> * Matthew Orlando <maorlando@gmail.com> [20161116 21:14]:
>> You need a passphrase to unlock the secret key for
>> user: "Matthew Orlando <maorlando@gmail.com>"
>> 2048-bit RSA key, ID 5EE7763D, created 2016-09-30 (main key ID BAA=
8DA4C)
>> _
>>
>> By all appearances, blinking cursor included, it looks like it's askin=
g
>> you to enter the password on the console.
> What would be your preferred solution?
>
> My first idea would be something similar to what I have seen on some
> ATMs or ticket machines: When the PIN needs to be entered on a
> separate PIN pad, the main/touch screen shows something like: "Enter
> your PIN on the numeric pad"
>
> Regards,
> Thomas
My preferred solution would be to disable console input while awaiting
pinentry. This seems to be what happens in Linux.
An improved message might reduce the frequency, but it would still look
like a password prompt at a glance. And since you'd have to change the
message depending on the pinentry program in use, it would be less
automation-friendly (pinentry-tty would do the right thing in this case,
but is less secure).
Another related issue is that the first time I run gpg after a reboot,
it takes a good 5 seconds for the pinentry program to appear (on a core
i7 6700k with a 500MB/s SSD). On subsequent runs the delay is
imperceptible between the message appearing and the pinentry window
appearing. Fixing first run load times would definitely help.
Cheers,
Matthew
["signature.asc" (application/pgp-signature)]
_______________________________________________
Gpg4win-users-en mailing list
Gpg4win-users-en@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/gpg4win-users-en
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic