Weak password concerns with GPG

Discussion in 'privacy problems' started by LinuxNewb, Dec 4, 2014.

  1. LinuxNewb

    LinuxNewb Registered Member

    Joined:
    Nov 17, 2014
    Posts:
    13
    When using gpg4win with thunderbird and Enigmail i am wondering if there is a way to be able to copy and paste a longer password in? Trying to remember a 35 character password is hard without copy and pasting it. What do most people use when they want a very long password for there keys? I know on my mac i can do it but on linux with gpg4in i cant. Any suggestions?
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I use modular passphrases, composed of shorter component. Some of the components are just passwords that I've used for many years, such as "973vc65" or "ajRP82ped". Others are longer, and represent the initial letters of memorable phrases. For example, "When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another" becomes "witcoheibnfoptdtpbwhctwa". To get long passphrases, I just concatenate the components, like words in sentences: "973vc65 witcoheibnfoptdtpbwhctwa ajRP82ped".
     
  3. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    Alternatively use a password manager program like keypass it can generate long passwords and store them in an encrypted database.
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    The problem is getting them into passphrase prompts that don't allow pasting. And in the case of the LUKS prompt, there's no OS running to paste from.
     
  5. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    The Yubikey has the ability to store a long static password in a slot, which you could concatenate with one you entered. Of course, that then leaves the securing of the key, but at least that's a different kind of threat (which threat might also be able to extract your remembered password with "persuasion" regardless).
     
  6. LinuxNewb

    LinuxNewb Registered Member

    Joined:
    Nov 17, 2014
    Posts:
    13

    I like this idea thx mirmir!
     
  7. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    Copy then Ctrl + v to paste in no allow regular paste prompt
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    With a LUKS prompt at boot, there is no "Ctrl + v".

    And actually, "Ctrl + v" does work with both the GnuPG and OpenSSH passphrase agent prompts. My bad for not checking :oops: I vaguely recall a passphrase dialog that didn't, but not which one :confused:

    But for what it's worth, of all the passphrases that I use, the LUKS ones are the longest. That's what keeps adversaries out.
     
  9. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    I second the Yubikey. One way of securing it even more is to have the first 10 characters as something you know and use the Yubikey for the rest.
     
  10. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    I have been interested in Yubico development SDK information relating to the use of the HMAC-SHA1 functionality in the context of Two factor authentication of whole disk encryption. The point being that the HMAC-SHA1 is at least protected in a secret, where the static password is clearly not! Possession of the key does not mean you know the HMAC-SHA1 secret, whereas with the static, that information is available to anyone with the key.

    But I have not seen any developments which use this for FDE.
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
  12. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    @mirimir, thanks for posting the pre-boot authentication document, that's the one I had in mind (and I've been experimenting with its suggestions for various local 2fa).

    But unfortunately, the implemented YK support for Bitlocker, TC and LUKS is all static password based, not HMAC-SHA1, which means that if the attacker also has your yubikey along with the disk/file, you've lost say half your entropy (assuming the attacker hasn't extracted the other half from you personally!). I would much prefer a successor to Truecrypt to support the HMAC-SHA1 version of 2fa using the mechanisms outlined in the first paper.
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I'm rather surprised that nothing that supports HMAC-SHA1 on Yubikey with LUKS has developed. What's the problem? Is it that Yubikey is emulating a keyboard, but also one needs a keyboard to enter the challenge password? Could one maybe just use a USB splitter?
     
  14. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    I'd very much like to see such a thing too - it may exist but be sitting in-house in various places. I'm not sure how Linux handles multiple HID, but I don't see there would be a problem there. There are Linux samples which use the OTP for PAM and SSH, but not so many examples for hmac generally. One of the other issues of course is that - as the first paper suggests for FDE - you ideally want a multi-user ability. But I'm not sure that LUKS provides for this - ah, I see it does - but of course would add to the complexity. And the code development is all low-level stuff.
     
Loading...