Page MenuHome GnuPG

Decide which password limit to use and consistently use that limitation
Closed, ResolvedPublic

Description

While investigating password limitations we found, that the current usage is somewhat inconsistent. Some examples to illustrate the problem at hand:

agent/genkey.c in agent_ask_new_passphrase: "size_t len = 100;"
agent/call-pinentry.c in agent_get_passphrase: size_t len = ASSUAN_LINELENGTH/2;
agent/genkey.c in agent_ask_new_passphrase: "pi->max_length = MAX_PASSPHRASE_LEN + 1;"

There are various limits in use. So to avoid chaos and usability issues,

  1. Decide on a good limit to use

We think the limit of 100 characters is too strict. Can we up the limit to 250 characters (or even 500 if there are no objections)?

  1. Use that limit consistently

Check locations where a limit may be use and double check they all use the same limit.

  1. How to deal with users using passwords in existing keys which are longer than the current limit?

We have at least one user report, where a user used a really long password and would then be unable to update the password.

Details

Version
2.1.21

Event Timeline

See also T2038 where the limit was raised from 100 to 255. It has not been raised for the loopback mode though.

werner changed the task status from Open to Testing.Jul 5 2017, 12:01 PM

I just fixed that in master. The limit is now 255 also for the loopback.

Please use the loopback feature only if really needed.

ping, what's the status of this bug? it has been in testing for over one year. is that the correct status?

gniibe claimed this task.
gniibe added a subscriber: gniibe.

The last fix was in 3681ee7dc1e9d8c94fdb046d7be0bbcfeba1cfe9, on 2017-07-05.
And it is included from the release of 2.1.22.