Page MenuHome GnuPG
Create Task
Maniphest T3254

Decide which password limit to use and consistently use that limitation
Closed, ResolvedPublic
Actions

Description

While investigating password limitations we found, that the current usage is somewhat inconsistent. Some examples to illustrate the problem at hand:

agent/genkey.c in agent_ask_new_passphrase: "size_t len = 100;"
agent/call-pinentry.c in agent_get_passphrase: size_t len = ASSUAN_LINELENGTH/2;
agent/genkey.c in agent_ask_new_passphrase: "pi->max_length = MAX_PASSPHRASE_LEN + 1;"

There are various limits in use. So to avoid chaos and usability issues,

  1. Decide on a good limit to use

We think the limit of 100 characters is too strict. Can we up the limit to 250 characters (or even 500 if there are no objections)?

  1. Use that limit consistently

Check locations where a limit may be use and double check they all use the same limit.

  1. How to deal with users using passwords in existing keys which are longer than the current limit?

We have at least one user report, where a user used a really long password and would then be unable to update the password.

Details

Version
2.1.21

Revisions and Commits

rG GnuPG
rG3681ee7dc1e9 agent: Use MAX_PASSPHRASE_LEN (255) also for the loopback.

Related Objects

Event Timeline

steve created this task.Jul 5 2017, 11:19 AM
steve updated the task description. (Show Details)Jul 5 2017, 11:23 AM
steve updated the task description. (Show Details)Jul 5 2017, 11:37 AM
werner added a subscriber: werner.Jul 5 2017, 11:45 AM

See also T2038 where the limit was raised from 100 to 255. It has not been raised for the loopback mode though.

werner added a commit: rG3681ee7dc1e9: agent: Use MAX_PASSPHRASE_LEN (255) also for the loopback..Jul 5 2017, 11:59 AM
werner changed the task status from Open to Testing.Jul 5 2017, 12:01 PM

I just fixed that in master. The limit is now 255 also for the loopback.

Please use the loopback feature only if really needed.

werner triaged this task as Low priority.Jul 5 2017, 12:01 PM
steve added a comment.Aug 8 2018, 5:36 PM

ping, what's the status of this bug? it has been in testing for over one year. is that the correct status?

matheusmoreira added a subscriber: matheusmoreira.May 9 2019, 9:39 PM
gniibe closed this task as Resolved.Dec 6 2019, 2:25 AM
gniibe claimed this task.
gniibe added a subscriber: gniibe.

The last fix was in 3681ee7dc1e9d8c94fdb046d7be0bbcfeba1cfe9, on 2017-07-05.
And it is included from the release of 2.1.22.