Visible Password

David Chadwick d.w.chadwick at kent.ac.uk
Fri Jun 22 19:54:17 CEST 2012 

Hi Robert

yes you are right. It does indeed reveal your passphrase.

I also tried to repeat my problem again with GPA, and this time most of 
my passphrase appeared in a thunderbird window that had not popped up 
when I started to use GPA after immediately reading your email. 
Something (I did?) made this window popup in Thunderbird whilst I was 
working with GPA.

But I not sure I fully agree with your diagnostic. Say a PC is running 
slowly and another window appears just before you start to enter your 
passphrase, say due to a slow action that had not finished when you 
started GPA, then this new window will grab the keyboard focus without 
you realising it (and without pinentry being able to do anything about 
it). So your passphrase will go to the new window and should be visible 
there straight away.

So I think the problem you mention is slightly different, in that you 
are working in the command line mode, you type in your password to the 
command line window, but it is not echoed back to you for some reason. 
Then you switch to pinentry and it works just fine and exits, then when 
the focus returns to the command line, your passphrase is echoed back to 
it. My problem was somewhat different, in that a new window appeared in 
the GPA window and my password was entered and echoed to it, then the 
window disappeared again. What I do not know is what caused this new 
window to pop up. I suspect it was a hacker

regards

David



On 22/06/2012 18:04, Robert J. Hansen wrote:
> On 6/22/2012 11:54 AM, David Chadwick wrote:
>> I was demonstrating GPA for the first time to a class of students
>> yesterday and a very strange thing happened.
>
> I was able to recreate this on GPG4WIN Win7/64, incidentally.  The
> problem does not appear to be in GPA, but in pinentry.  It can be
> recreated with a stock GPG4WIN installation.
>
> Steps:
>
> 	1.  Open a command window and launch a gpg --edit-key session
> 	2.  Execute a command that requires passphrase entry
> 	3.  *Do not* shift focus from the command window
> 	4.  Type your passphrase.  Nothing is visible.
> 	5.  Shift focus to pinentry
> 	6.  Type your passphrase and complete the passphrase
> 	7.  When focus returns to the command window, you'll see your
> 	    passphrase has been entered
>
> This seems to be caused by pinentry not grabbing keyboard focus.  It's a
> serious bug, all right.
>
>

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
School of Computing, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the Gnupg-users mailing list