On 27/04/14 03:36, Robert J. Hansen wrote: > Long passphrases also silently encourage users to do risky things like > cut-and-paste them. (It's very easy for malware to look at the contents of > your clipboard buffer.)
Is this really a useful criterium? Sure, by not using the clipboard you might stop some non-specific malware that simply does data trawling by sending all likely clipboard contents to a server so a hacker can see if it sees any passphrases in there. But since the malware is already in the position to execute arbitrary code with your credentials, you should simply consider your GnuPG installation compromised whether you use the clipboard or not. It can simply catch all calls to gpg2 or gpg-agent and prompt you for your passphrase. If you're talking about a malicious site being open in the browser, I'd very much like to hear about known, unfixed vulnerabilities that allow server-supplied code to get at your clipboard. That would be quite a vulnerability in my eyes. I use Keepass2 under Debian GNU/Linux to keep all the passphrases I use on this machine (but my OpenPGP keys are on a smartcard, they're not protected by a password but by a PIN). Since I'm not aware that there exists a plugin for Linux integrating Keepass2 and Firefox, I copy-paste all my web passwords, including high-profile stuff like PayPal. Also, there are some things that will never have integrated Keepass2 support, like command line tools, which require me to copy-paste. If I need to check which /other/ websites I have open at the same time (or rather: close all open websites) whenever I use Keepass2, I'd very much like to know. Cheers, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
