PasswordMaker Forums
Firefox/SeaMonkey/Mozilla/Netscape/Flock Browser Extension => Feature Requests / Enhancements => Topic started by: lov2cod on November 16, 2005, 10:28:43 PM
-
Guys,
I read the FAQ about PasswordMaker not being sensitive to keyloggers because the website's password is not typed. That's interesting, but it simply amounts to taking one stept back: the master password can still be captured.
How about using something supplementing the master password with information from other channels:
1. biometric device
Something like the following (just a random example from google)
http://www.storagemedia.com/product.asp?pf...t_id=22-001-002 (http://www.storagemedia.com/product.asp?pf_id=SDP%2DBIO128&dept_id=22-001-002)
In this approach password maker reads (part of) the password from a file and stores it in memory. I insert the usb key, activate it, PM reads the info, I remove the usb key.
2. mouse input
I avoid using the mouse, however if you use it to select some information from a randomingly changing screen then the keylogger is hosed. For example you have a small 4 character password, a small keyboard is displayed on the screen in a random order and you just select the password from there.
What do you guys think?
[email protected]
-
A way I can see number 1 working is if it adds the stuff it reads into the modifer field.
Number 2 sounds cool though, type part of the Master Password on the randomized keyboard, though would be hard to do.
-
Well, in the online version approach 2 can be implemented by having some dropdown fields that are populated in random order. It would also be nice to have some javascript to display the number as *, after it has been selected. This way the low res screen shots taken by some keyloggers have even less chance of getting the information.
lov2cod
-
Hi lov2cod,
I read the FAQ about PasswordMaker not being sensitive to keyloggers because the website's password is not typed. That's interesting, but it simply amounts to taking one stept back: the master password can still be captured.
Good point, but if you save the master password to disk, the keylogger only ever has one opportunity to steal it. Needless to say, however, storing the MPW to disk is in itself a security risk.
In this approach password maker reads (part of) the password from a file and stores it in memory. I insert the usb key, activate it, PM reads the info, I remove the usb key.
I don't understand why a usb key is necessary? Why not just a file on the hard drive?
I avoid using the mouse, however if you use it to select some information from a randomingly changing screen then the keylogger is hosed. For example you have a small 4 character password, a small keyboard is displayed on the screen in a random order and you just select the password from there.
Neat idea. Why randomly changing instead of a fixed QWERTY layout, though? Are you worried about TEMPEST (http://en.wikipedia.org/wiki/TEMPEST)-based attacks?
It would also be nice to have some javascript to display the number as *, after it has been selected
Can you explain which numbers you want to hide with * ?
Regards,
Eric
-
Eric,
Putting the key (or part of it) on a USB key has the advantage that the key is not stored on the HD all the time and also you can take it with you to various locations.
Picking the password with the mouse avoids using the keyboard. However if the keylogger knows the UI from which you select the password then it can track your mouse position and clicks and discover the password. For example on win32 you can use charmap.exe to type your password with the mouse. However charmap.exe is a well known program. So a keylogger can compute at least the relative difference between letters that you selected.
The part about not displaying the ui and password for long amounts of time is used to complicate the life for keyloggers that take screen shots. If your password is displayed on screen as you select it then the screen shot is more likely to capture it. So let's say you/we implement the part with selecting part of the password from dropwown lists. After you select the first character that character will stay on the screen for ever.
lov2cod
-
OK, I understand now.
The part about not displaying the ui and password for long amounts of time is used to complicate the life for keyloggers that take screen shots. If your password is displayed on screen as you select it then the screen shot is more likely to capture it. So let's say you/we implement the part with selecting part of the password from dropwown lists. After you select the first character that character will stay on the screen for ever.
They can take screenshots all they like, but if the chosen characters are masked with *****, the screenshots are useless.
So would you be satisfied with an optional drop-down<select/> box for entering the master password in the Firefox/Mozilla extension, or do you want a randomly changing keyboard for the extension and a drop-down box for the website version?
-
Eric,
I would be happy with (and grateful for) anything that is easy to code, fits in your architecture/design and allows you to select part of your password with a mouse without displaying it on screen.
I am also very happy with password maker and I will keep on using it with or without the feature above :)
lov2cod
-
Another solution, though a bit extreme and may not be worth it, is virtual PC software running FireFox with the extension or web site, because the keylogger won't have an easy way of using that software to detect the correct settings. :)
-
In virtual PC keyloggers still capture the keys ... unless I am missing something. Even some self contained solutions like Black Dog are not imune to keyloggers (www.projectblackdog.com).
lov2cod
-
What I'm saying is that if the keylogger is only on the host PC, the logger has no info about the guest system, and unless it's doing the screen shot stuff, how will it know you were entering a password. This is provided you design the Virtual PC to not use network connections, or can only talk with the Host OS and nothing else (with the two OSes being different, like Linux and Windows).
Let's drop this though for now, too much work is needed for too little gain in the long run.
-
lov2cod,
I would be happy with (and grateful for) anything that is easy to code, fits in your architecture/design and allows you to select part of your password with a mouse without displaying it on screen.
Just curious, are you able to contribute any coding efforts yourself?
-
Eric,
Let me know how I can help ... not much time available right now ... but this may be quick and fun.
:)
Not sure available time will lead to a valuable contribution.
[email protected]
-
Eric,
I would be happy with (and grateful for) anything that is easy to code, fits in your architecture/design and allows you to select part of your password with a mouse without displaying it on screen.
I am also very happy with password maker and I will keep on using it with or without the feature above :)
lov2cod
I like the "choose password with your mouse" idea. I think it should be implemented. I would think that a standard QWERTY layout would suffice, but some just can't be careful enough! One for the online version, and one for the FX extension ( i don't use IE anyhow). If they keyboard layout is random, I don't care. More security the better, I suppose.
Felipe
-
Tyrantmizer, can you add this to the feature request list (http://forums.passwordmaker.org/index.php?showtopic=167)? "On-screen keyboard for master password entry". Looks like it slipped through the cracks. I'd completely forgotten about this till Felipe bumped it.
Thanks,
Eric
-
For those who can't wait for this feature, you can already achieve this on Windows (albeit not very conveniently) by using the Character Map tool:
(http://img477.imageshack.us/img477/8813/capture132006100406am9gt.th.jpg) (http://img477.imageshack.us/my.php?image=capture132006100406am9gt.jpg)
It allows you to select any character from an on-screen keyboard, and copy-and-paste that character into another window.
-
tripped and stumbled across this..
http://www.inference.phy.cam.ac.uk/dasher/ (http://www.inference.phy.cam.ac.uk/dasher/)
figured some others may see it as an interesting method to avoid keylogging.. quite intuitive, just a little difficult at first, as they themselves admit. give it a go!
-
Wow, I'm going to try that program out now!
-
Yeah, the demo animated gifs look cool. Gotta try that.
-
Fun little program, but not really a good idea to use it for inputting any passwords as it does log what you 'type' in for it's own learning purposes. That, and it seems you need to copy and paste stuff anyway.
-
Looks like nobody's working on this idea. I don't think that cut + paste would work because it goes via clipboard and that can be easily monitored by a keylogger. At least that's what some of these keylogging software companies claim. But a virtual keyboard in a PasswordMaker window might work. Even better, I think mouseclicks might be avoided when just "hovering" over a key image might trigger event, at least I've seen it mentioned someplace.
Not being a windows programmer, I'm not sure how much work it would take and if there may be some other gotchas. In my mind this step is almost indispensable to sign onto a bank account other than on my own machine and particularly at a public place.
By the way, I think there should be an online setting for the length of the generated password if at all possible, different places have different limitations, maybe even based on account?
-
Hi,
We've decided in other threads on this forum that data entry and keylogging prevention is out of the scope of PasswordMaker, especially since there are many other software products that already achieve this.
-
The only true way to have security when inputting the master password would be with a hardware biometric identification device that goes from your body straight to a pseudo-keyboard kernel-mode driver, and that will protect you from the script kiddie next door, but if someone really wants your master password, they can get it... Criminals can put a gun to your head, any government agency can get it in the US, if they think you are a threat to national security, clipboard contents can be intercepted, On Screen Keyboards can be easily hacked (read button text on click). But there is light at the end of the tunnel, and it is not a train heading your way: because Linux is not being adopted at the rate it deserves by the general public, the development of malware for it is more or less at the level it was 5 years ago, with most security exploits going towards things a home user would never come in contact with, such as sendmail, httpd, etc.
Edit: I just wrote this and didn't see Eric's comment above mine... and he's absolutely right... Wonderful program, BTW...
-
Wonderful program, BTW
Thank you!