password caching issues

Mike G.'s Avatar

Mike G.

19 Apr, 2017 04:44 PM

This comment was split from the discussion: Storing keys in Mac Keychain Access

Steve,

Your answers have been very helpful, thanks.

1) Any update on resolving the password cache issue? . . . I've set mine for 12000 seconds (20 minutes), but it definitely still pops up asking for my password again (For some reason I don't want to store the password in my Mac OS Keychain)

2) could you say a bit more about why you don't recommend a web-based password manager? I currently use lastpass, and I know there was a hack, recently, but my understanding is that all the master passwords are hashed.

3) Given that your security precautions include not using web based password managers, what are your thoughts about Mac OS Keychain? I've read a bit that makes it sound secure . . . but I just don't like the idea of Apple 'having' my PGP master password (I know they say they can't see it).

Thanks!

Mike

  1. Support Staff 1 Posted by Steve on 19 Apr, 2017 05:24 PM

    Steve's Avatar

    Mike, I have split your comment into a separate discussion.

    I'll try to answer your questions:

    1) Can you give more details on the scenario you are referring to? When you say you set a caching time, have you entered the password so that it resides in the cache for the given time? The fact that you may be asked for your password twice is expected since signing and decryption maybe done using different parts of your key. Once you entered the password (once or twice) the caching should indeed work as expected. Is that not the case for you?

    2) LastPass has received some attention from Tavis Ormandy from the Google Project Zero team recently. E.g. https://twitter.com/taviso/status/843965519371812864 etc. So it may be a good idea to keep an eye on that and which of the issues are fixed and which remain open.

    3) I answered that part in Discussion #50834 which is about the security of macOS keychain.

    I hope this somewhat answers your questions. Let me know how the caching experiments go.

    All the best,
    steve

  2. 2 Posted by Mike G. on 20 Apr, 2017 03:14 AM

    Mike G.'s Avatar

    Hi Steve,

    Thanks for responding to my questions.

    I set the "remember my password" length in gpgPreferences.prefPane for 1200 seconds (see attached image of my settings). I have to enter my password much more than twice, and certainly nothing is remembered for 12000 seconds. So, yes, it is the case for me that the caching is not working.

    Thanks for the Lastpass and MasOS keychain resources!

    Mike

  3. Support Staff 3 Posted by Steve on 20 Apr, 2017 11:14 AM

    Steve's Avatar

    Should you be available, could you hop on our live chat here:
    https://www.hipchat.com/gyyOrLdWt

  4. 4 Posted by Mike G. on 20 Apr, 2017 05:09 PM

    Mike G.'s Avatar

    Hi Steve,

    I'm at work and don't have my mac here unfortunately. Hope we can chat soon.

    Are you on west coast time per chance? If so I could chat after I get off work as I'm two hours ahead of you.

    Thanks,

    Mike

    Sent on the move

  5. Support Staff 5 Posted by Steve on 28 Apr, 2017 09:06 AM

    Steve's Avatar

    We're based in europe. The best thing is to just hop on the live chat and if no one is present just idle in the room for a while.

  6. 6 Posted by Mike G. on 06 May, 2017 02:23 PM

    Mike G.'s Avatar

    Steve,

    It’s asking me to submit my work email, which seems odd, and when I submit my riseup email it’s asking if I want to join the riseup team, which doesn’t seem right either.

    If you provide me with your email or your hip chat url i can request an invite to your team:

    The problem with GPG tools constantly requesting my password still persists, so I’d love to get some help with this.

    Thank you,

    Mike

    -----
    Mike Godbe

    [email blocked]
    Public Key <https://pgp.mit.edu/pks/lookup?op=get&search=0x3451CF95F6B95222>
    Fingerprint: 42BA 9203 10AC D83F FD40 1FEF 3451 CF95 F6B9 5222

    Minilock ID:
    QUMw4xh7o175GhBCKEqSv8vuo8E3yaRRHb5WvHgCK5ZzY

    I prefer to use encrypted email
    Learn how to encrypt your email with the Email Self Defense guide <https://emailselfdefense.fsf.org/en/>

     <https://emailselfdefense.fsf.org/en/>

  7. Support Staff 7 Posted by Steve on 08 May, 2017 09:13 AM

    Steve's Avatar

    Hey Mike,

    there's been a problem at HipChat and all public rooms received new URLs. Here's the new URL to join live chat:

    https://www.hipchat.com/gyyOrLdWt

    Kindly,
    steve

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac