On 27/04/14 12:34, Robert J. Hansen wrote: > I think so, but I'm well-known for being barking mad.
"Woof" back at you. > Generally speaking, it is suboptimal to enter passphrases via C&P. It > makes it possible for a compromise tomorrow to discover the passphrase > you entered today. But I will just enter the same passphrase again tomorrow. Even if I notice I've been compromised, it is unlikely that I notice this on the day of the compromise. Even if I knew when the compromise happened, I wouldn't rely on my memory to remember which passphrases I entered since. So, in conclusion, when I notice my machine is compromised, I need to consider everything I access through a passphrase using that machine as compromised, replace all those passphrases and contemplate what the attacker could have done with the compromised services. I don't think the risks I ran and the actions I need to take when my machine is compromised are any different whether I use C&P or enter them directly, for the common case that I regularly use the passphrase. > I don't doubt there are situations where it makes sense to use C&P. > I've yet to find one, though. Well, you can't integrate your password manager with everything you need passphrases for. And I highly prefer the more than hundred randomly-generated passphrases[1] in my KeePass over trying to think of more than a hundred good passphrases and remember them. I consider that waaaayyyy beyond my capabilities. That word needs even more vowels, but it would make it hard to read ;). Still, if there is a real risk that websites see my clipboard, I definitely want to know. Cheers, Peter. [1] By the way, the best part of those passphrases aren't protected on my system; they are in my browser's unencrypted credentials database and the password for the KeePass database is a single lowercase "a" because you have to enter something. They are just accounts on websites. Passphrases I do consider important are in another well-protected KeePass database (and are copy-pasted). I recently moved Amazon to the protected database because I noticed you can order and pay stuff without re-entering your credit card number. It will be shipped to one of your pre-existing addresses, but I still did not appreciate it, so I changed the passphrase and moved it to my protected database. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
