Author Topic: PasswordMaker is NOT save for keyloggers  (Read 11173 times)

Offline xolphin

  • Normal Members
  • *
  • Posts: 4
PasswordMaker is NOT save for keyloggers
« on: March 01, 2007, 11:31:24 PM »
Some websites and the FAQ of PasswordMaker itself, states that it is save for keyloggers:

Quote
Keyloggers work by tracing every key typed on the keyboard. With PasswordMaker, you never type anything but your master password (and if you choose Store Master Password on disk and in memory (encrypted), you only type that once). The real passwords (generated ones) are never typed, so keyloggers never detect them!

PasswordMaker is NOT save for keyloggers. Worse than seeing the password for a website, the keylogger registers the actual Master Password. Typing your Master Password in a public available computer is... plain stupid! The other things for recovering the actuall passwords are easy to recover, the keylogger can easily register what url, username or salt is being used.

Please remove this from the FAQ, and please tell people not to type in their Password on any public computer. If you care about security, don't use a public computer to log in to anywhere!

It would be incredibly nice if somebody was able to generate a tool that works in a combination with PasswordMaker and a one time password system like OTPW (see http://www.cl.cam.ac.uk/~mgk25/otpw.html). That actually would be secure, and would defaut a keylogger. But it makes things complicated, it might be easier not to use public computers at all.

Regards,

Maarten
« Last Edit: May 21, 2007, 12:59:33 PM by tanstaafl »

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
PasswordMaker is NOT save for keyloggers
« Reply #1 on: March 05, 2007, 04:59:17 AM »
Quote
Typing your Master Password in a public available computer is... plain stupid!
Agreed, that's why PasswordMaker has auto-populate.

Quote
Please remove this from the FAQ
Why? PasswordMaker is safe with keyloggers if you use auto-populate. With auto-populate, you type nothing.

Perhaps you should ask WHY this is in the FAQ before requesting it be removed? It looks like you didn't spend much time with PasswordMaker.
« Last Edit: May 21, 2007, 01:00:13 PM by tanstaafl »

LkonKbd

  • Guest
PasswordMaker is NOT save for keyloggers
« Reply #2 on: April 02, 2007, 02:58:16 PM »
Quote from: Maarten
Some websites and the FAQ of PasswordMaker itself, states that it is save for keyloggers:

PasswordMaker is NOT save for keyloggers. Worse than seeing the password for a website, the keylogger registers the actual Master Password. Typing your Master Password in a public available computer is... plain stupid! The other things for recovering the actuall passwords are easy to recover, the keylogger can easily register what url, username or salt is being used.

This may be a little TRUE, but; if you are using a MemoryStick [USB type] then while OffLine you may create a little TEXT file hidden on the memroystick with your MasterPassword also hidden within a very long line of characters or a message you create.  Then when needing that PW all you need to do is HiLite the PW and Ctrl+C/Ctrl+V into PasswordMaker when needed.  NO typing necessary.  Do NOT even have it plugged in to the USB until needed.

Also have a small program like RegProtect (by DiamondCS) that monitors your registration file and warns you of any activity plus you may Accept or Deny that access.

KeyLoggers, GOODBYE!!

Good Luck,


Offline xolphin

  • Normal Members
  • *
  • Posts: 4
PasswordMaker is NOT save for keyloggers
« Reply #3 on: April 26, 2007, 05:46:31 PM »
Quote from: Eric H. Jung
Agreed, that's why PasswordMaker has auto-populate.
Why? PasswordMaker is safe with keyloggers if you use auto-populate. With auto-populate, you type nothing.

Perhaps you should ask WHY this is in the FAQ before requesting it be removed? It looks like you didn't spend much time with PasswordMaker.

True, I have used mostly pwdhash, which has much less options.

I don't see how auto-populate would help somebody against keyloggers. Saving your password in a random text file is nice idea, but easy to catch for keyloggers too. Auto populate is nice if you have your master password typed in after the keylogger is enabled. When you start from scratch, PasswordMaker has now way to have your master password without you typing it in (or inserting it in another way).

When you are not on your own computer, it is not save to type your master password. Saying that PasswordMaker prevents against keyloggers is wrong if you don't describe how PasswordMaker protects against KeyLoggers. The statement that it does protect is wrong, and should be removed. You now may have people who use PasswordMaker in there local internet bar, and type in their master password and have all their accounts hacked.

PasswordMaker is a great concept, and it has his advantages, but without a challenge response system of some kind it isn't safe. It is maybe enough safety for your hotmail account, it is not safe enough for your bank details or logging in to your servers.

A method that is save is some kind of challenge response system. The cheapest and nicest I know is On Time Password Login package, which uses 100 codes on a piece of paper to give you a random code each time.

Remember, if you don't own the computer you are working at, anybody can monitor all your mouse clicks, key strokes and everything.

Regards,

Maarten

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
PasswordMaker is NOT save for keyloggers
« Reply #4 on: April 30, 2007, 03:40:54 AM »
Quote
A method that is save is some kind of challenge response system. The cheapest and nicest I know is On Time Password Login package, which uses 100 codes on a piece of paper to give you a random code each time.
You are free to use this instead of PasswordMaker.
« Last Edit: April 30, 2007, 03:41:40 AM by Eric H. Jung »

Offline xolphin

  • Normal Members
  • *
  • Posts: 4
PasswordMaker is NOT save for keyloggers
« Reply #5 on: May 07, 2007, 01:39:29 PM »
I like PasswordMaker. My only concern is that PasswordMaker does not protect against keylogging mechanisms. This should be removed from the FAQ because it is simply not true. See my previous posts for my arguments.

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
PasswordMaker is NOT save for keyloggers
« Reply #6 on: May 13, 2007, 01:52:16 AM »
Quote from: Maarten
I like PasswordMaker. My only concern is that PasswordMaker does not protect against keylogging mechanisms. This should be removed from the FAQ because it is simply not true. See my previous posts for my arguments.
If you are concerned about keyloggers, save your master password to disk. Then you do not have to type it. Of course, this may open you to other types of attacks. I'm curious to know why you think PasswordMaker is susceptible to keyloggers when the MPW is stored on disk.
« Last Edit: May 13, 2007, 01:52:48 AM by Eric H. Jung »

PasswordMaker Forums

PasswordMaker is NOT save for keyloggers
« Reply #6 on: May 13, 2007, 01:52:16 AM »