Forum: help
Monitor Forum | 
Start New Thread
| RE: Can Not Paste Passphrase from Clipboard [ Reply ] By: Timo Schulz on 2007-03-09 19:48 | [forum:933] |
|
I agree that a central password store can be a good idea, but later versions of WinPT use a mechanism to make password snooping a little more difficult. But to use the feature, all copy/paste of the password field is not allowed. I might think about an option to disable this behaviour because it was frequently requested. |
|
| RE: Can Not Paste Passphrase from Clipboard [ Reply ] By: Bill Foster on 2007-03-01 23:57 | [forum:930] |
|
Also, by using Password Safe, from http://passwordsafe.sourceforge.net/ you can "autotype" hard-to-remember passphrases directly into the input box, whenever WinPT asks for it, without having to manually enter it by hand. HTH, Bill |
|
| RE: Can Not Paste Passphrase from Clipboard [ Reply ] By: Timo Schulz on 2006-05-28 16:47 | [forum:414] |
|
(I will think about an option) Regarding the issue that you have to type manually longer passphrases. IMHO the caching option will save this solution. And the key logger issue: the code tries to interrupt the hook chain. The main problem is that propably a lot of techniques exist to install key loggers and it's difficult to catch them all. In short, secure passphrase handling is a very complex task. And I can't see how to improve the situation if I allow to paste/copy the passphrase. If WinPT allows to paste the passphrase into the edit control, it means that the passphrase was stored in plaintext elsewhere and this raises (propably!) other security problems. My suggestion is to use the gpg-agent to avoid all these issues. Then WinPT does not have to deal with the passphrase at all. And the intern WinPT passphrase cache also solves most of the issues. You just need to type in it once and then it's retrieved from the cache and no keyboard interaction is needed. |
|
| RE: Can Not Paste Passphrase from Clipboard [ Reply ] By: Mike B on 2006-05-28 12:53 | [forum:413] |
|
Do you think it might be a good idea to provide an option so people can somehow choose whether or not they want this disabled? I mean, basically what you have done is made an improvement to your frontend to help protect from programs that might try to capture or extract the password from the control as you stated. However, now that people are being forced to have to manually type their password each time instead of being able to paste it in, that opens up a new suceptiblity to key loggers. Since the typing is now the -only- way, then certainly a key logger would capture the typed password. Using my method of keeping the password in a separate location and cut and pasting it into the box by passes the key loggers. While it then make me suceptable to cut and paste capturers or dialog box extractors, I don't think there's anything to say either malware is more common than the other. I would expect key loggers to be more common in fact. By removing the option you have limited the ability for the end user to use their own judgement in which method they find best to enter their password. Another issue arrises with manually typed passwords in that, for you to have a long and secure password (as well as something that you can remember easily) there's a higher chance of making typo's typing out your password and then on the other hand if someone was to sacrifice and use a shorter less secure password in order to make it less likely to make typos then again we have another security risk. If you could either make some sort of option so the end user could choose to enable or disable this additional protection you have added or maybe even just include an alternate executable for your software which has the 'modified' dialog control back to normal and unmodified, that would be give people the option to choose whichever they feel works best for their own situaton. As for now I suppose I will continue using 0.11.8.1 Regardless of your choose I put forth the above as a suggestion / recommendation to future releases of your software and I certainly apprecaite this software which you have done such a fine job of so far in the first place as I know of no other windows frontend which comes close. Even if you never change this, I still appreciate all the effort you've put into this software. Thanks v. much. |
|
| RE: Can Not Paste Passphrase from Clipboard [ Reply ] By: Timo Schulz on 2006-05-26 17:00 | [forum:410] |
|
This is on purpose! The "modified" edit control restricts the ability to extract and/or copy/paste the passphrase from or to the control. This is no perfect protection but it makes a "hidden" passphrase copy much more difficult. WM_GETTEXT (Win32 API Message) also does not work to retrieve the passphrase text. |
|
| Can Not Paste Passphrase from Clipboard [ Reply ] By: Mike B on 2006-05-26 06:44 | [forum:407] |
|
A change took place between 0.11.8.1 and 0.11.9 where one is no longer able to paste or copy or select text inside of the text field where you enter your passphrase when decrypting or encrypted a message or file. I am curious if this is an intentional change or if this is a bug? I find myself stuck using version 0.11.8.1 until this can be fixed back to the way it was. -------------------- A more detailed description: -------------------- If you follow these instructions you will see what I mean: 1. Take a PGP encrypted message, copy it to the clipboard as you would if you intended to decrypt it. 2. Right click WinPT and select Clipboard > Decrypt & Verify. 3. You are presented with the form / text box in which you are to enter your passphrase. 4. Type anything you wish into this box, i.e. just some random characters so that you have some info in there. 5. If you press Control + A, normally this would select the text in this box and you could then hit either Control + C to copy it to clipboard. - Alternatively you could also normally hit Control + V if you wanted to paste a passphrase into this box. - Using Control + V to paste a passphrase into this box WAS possible all the way up until and including version 0.11.8.1. In version 0.11.9 and all versions following it, this is no longer possible, the box simply doesn't respond to the standard Control + V / Control + C / Shift + Insert, etc. My passphrase is an extremely long string of random characters which I keep stored in a text file on a memory stick and I copy and paste it into this box as it is impossible to memorize, but I am no longer able to do this. So I am just writing to see if this is an intentional change of the software or if it was something that somehow got messed up (a bug) in the transition between these two version releases. If it was indeed intentional, is there anything I can do to restore this fuctionality in a later release, possibly have the ability to copy / paste into this box set as an option in the preferences dialog for WinPT or a setting somewhere in registry perhaps? Is there any current work around to fix this? If this was not an intentional change, then I present it now as a bug to hopefully be fixed ASAP in 0.12.2. Until then I must use 0.11.8.1. :( |
|
