Mageia forum

I am using QtPass as my password manager. I inadvertently entered my master passphrase incorrectly, and it posted an error dialog saying

Bad Passphrase (try 2 of 3)

This implies to me that there are a maximum of 3 attempts to log in, after which there is a penalty incurred. I have searched high and low and cannot find what the penalty is for too many attempts.

I have searched the QtPass source code for the error message, and did not find it. So it appears that the message is posted by another piece of the system. The dialog box frame title has what appears to be a PID in it, for example

[2052363]@linux8core

That happens to be the PID of gpg2, so I am assuming that gpg2 is posting the dialog.

Code: Select all

[brian@linux8core ~/.gnupg]$ ps -alx | grep 2052363
0  1001 2052363 2052362  20   0 190888  6944 -      SL   ?          0:00 gpg2 -d --quiet --yes --compress-algo=none --no-encrypt-to --batch --use-agent /home/brian/.password-store//amazon.com.gpg


I would like to find out what the penalty is, and if so is it configurable.

There is no gpg.conf on my system that I can find.

It is curious that every time I try this I get "(try 2 of 3)", so if the penalty is a timeout, it is fairly short.

Any pointers to where I can find out how this works would be much appreciated.

inxi info

Code: Select all

System:    Host: linux8core Kernel: 5.15.88-desktop-1.mga8 x86_64 bits: 64 Desktop: KDE Plasma 5.20.4 Distro: Mageia 8 mga8
Machine:   Type: Desktop Mobo: Micro-Star model: MPG Z590 GAMING PLUS (MS-7D07) v: 2.0 serial: <superuser required>
           UEFI: American Megatrends LLC. v: A.10 date: 04/09/2021
CPU:       Info: 8-Core 11th Gen Intel Core i7-11700K [MT MCP] speed: 800 MHz min/max: 800/4900 MHz
Graphics:  Device-1: NVIDIA GA106 [Geforce RTX 3050] driver: nvidia v: 510.60.02
           Display: x11 server: Mageia X.org 1.20.14 driver: nvidia resolution: 1: 1920x1080~60Hz 2: 1920x1080~60Hz
           OpenGL: renderer: NVIDIA GeForce RTX 3050/PCIe/SSE2 v: 4.6.0 NVIDIA 510.60.02


Thanks,
Banjo
(_)==='~

Thanks for the pointer. I did not run into that one during my search. I guess the warning is sort of toothless.

Please banjo, don't forget to mark the topic [SOLVED].
You can do so, by editing the subject/title in the first message in this topic.
Write [SOLVED] to the left of subject/title, thanks ahead.

OK. Said and done, although I might continue to look into it as a puzzle. If I find out something more specific about it I will report back here.

I did a little more digging into this to see if I could figure out what it is doing with the failed passphrase errors. Here is what I saw.

When you attempt to access a password, the program starts up a gpg2 process, which posts the dialog box requesting the passphrase. That process gives the user three tries at the password and after the third bad attempt it posts an error and exits. So, the penalty for providing three incorrect attempts is that the gpg2 process gives up and quits.

However, if you click on the password again, it starts another gpg2 process, which then gives you three tries to guess the passphrase.

I don't know if invoking a new process every three tries would be enough to slow down a brute force attack, but it might.

The bottom line is that it does not do anything permanent such as locking you out after three tries.