QtPass
QtPass copied to clipboard
IJHack
QtPass never forgets last password
When you decrypt a password and then leave QtPass open (or minimized to tray) even when "Autoclear panel after: X Seconds" option is used the password is never forgotten.
Scenario: I use Nitrokey to store my keys. I decyper password, unpug Nitrokey and leave with QtPass open. After an hour I can get back and copy password that was last decrypted and I don't need my GPG keys any more.
Proposed fix: Clear password after "Autoclear panel after: X Seconds" are passed, so next time you want to "Copy Password" you need to decrypt it again.
The GPG passphrase part is not part of QtPass per-say.
This is GPG agent behaviour, and has to be configured independently from QtPass.
Depending on your OS of choice I can probably help you figuring out where to change these settings.
Generally this config is found in ~/.gnupg/gpg-agent.conf
And the option you are looking for is the default-cache-ttl
No, I don't mean GPG password. I mean QtPass doesn't forget last accessed password from password store.
Here's probably better example:
Step 1) Decyper some password in password store step 2) move your ~/.gnupg to ~/.gnupg.bak, kill your gpg agent etc step 3) wait say 1 hours - (Time doesn't really matter at this point) step 4) click copy password to clipboard. QtPass will copy password decrypted in step 1, to clipboard. It won't need to invoke GPG
I have also noticed this behaviour previously. Is there a fix planned for this, or perhaps some guidance on how this can be approached if the maintainer is busy?
I welcome any and all patches and pull requests, unfortunately I myself don't have time to code on QtPass till September.
From September I plan on doing major work on QtPass again.
@alexzeitgeist In the configuration, you should consider setting Autoclear panel after X seconds. After that delay, one shouldn't be able to copy or see the content of the password file.
However, write-only edition is still possible since pass can write without the private key!
