C&P'ing passphrases (was Re: A few newbie Qs)

Sun Apr 27 13:35:29 CEST 2014

On 27/04/14 12:34, Robert J. Hansen wrote:
> I think so, but I'm well-known for being barking mad.

"Woof" back at you.

> Generally speaking, it is suboptimal to enter passphrases via C&P.  It
> makes it possible for a compromise tomorrow to discover the passphrase
> you entered today.

But I will just enter the same passphrase again tomorrow. Even if I notice I've
been compromised, it is unlikely that I notice this on the day of the
compromise. Even if I knew when the compromise happened, I wouldn't rely on my
memory to remember which passphrases I entered since. So, in conclusion, when I
notice my machine is compromised, I need to consider everything I access through
a passphrase using that machine as compromised, replace all those passphrases
and contemplate what the attacker could have done with the compromised services.

I don't think the risks I ran and the actions I need to take when my machine is
compromised are any different whether I use C&P or enter them directly, for the
common case that I regularly use the passphrase.

> I don't doubt there are situations where it makes sense to use C&P.
> I've yet to find one, though.

Well, you can't integrate your password manager with everything you need
passphrases for. And I highly prefer the more than hundred randomly-generated
passphrases[1] in my KeePass over trying to think of more than a hundred good
passphrases and remember them. I consider that waaaayyyy beyond my capabilities.
That word needs even more vowels, but it would make it hard to read ;).

Still, if there is a real risk that websites see my clipboard, I definitely want
to know.

Cheers,

Peter.

[1] By the way, the best part of those passphrases aren't protected on my
system; they are in my browser's unencrypted credentials database and the
password for the KeePass database is a single lowercase "a" because you have to
enter something. They are just accounts on websites. Passphrases I do consider
important are in another well-protected KeePass database (and are copy-pasted).

I recently moved Amazon to the protected database because I noticed you can
order and pay stuff without re-entering your credit card number. It will be
shipped to one of your pre-existing addresses, but I still did not appreciate
it, so I changed the passphrase and moved it to my protected database.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>