keyloggers

[lov2cod]

Guys,

I read the FAQ about PasswordMaker not being sensitive to keyloggers because the website's password is not typed. That's interesting, but it simply amounts to taking one stept back: the master password can still be captured.

How about using something supplementing the master password with information from other channels:

1. biometric device
Something like  the following (just a random example from google)
http://www.storagemedia.com/product.asp?pf...t_id=22-001-002
In this approach password maker reads (part of) the password from a file and stores it in memory. I insert the usb key, activate it, PM reads the info, I remove the usb key.


2. mouse input
I avoid using the mouse, however if you use it to select some information from a randomingly changing screen then the keylogger is hosed. For example you have a small 4 character password, a small keyboard is displayed on the screen in a random order and you just select the password from there.

What do you guys think?

[email protected]

[Miquel 'Fire' Burns]

A way I can see number 1 working is if it adds the stuff it reads into the modifer field.

Number 2 sounds cool though, type part of the Master Password on the randomized keyboard, though would be hard to do.

[lov2cod]

Well, in the online version approach 2 can be implemented by having some dropdown fields that are populated in random order. It would also be nice to have some javascript to display the number as *, after it has been selected. This way the low res screen shots taken by some keyloggers have even less chance of getting the information.

lov2cod

[Eric H. Jung]

Hi lov2cod,

I read the FAQ about PasswordMaker not being sensitive to keyloggers because the website's password is not typed. That's interesting, but it simply amounts to taking one stept back: the master password can still be captured.

Good point, but if you save the master password to disk, the keylogger only ever has one opportunity to steal it. Needless to say, however, storing the MPW to disk is in itself a security risk.

In this approach password maker reads (part of) the password from a file and stores it in memory. I insert the usb key, activate it, PM reads the info, I remove the usb key.

I don't understand why a usb key is necessary? Why not just a file on the hard drive?

I avoid using the mouse, however if you use it to select some information from a randomingly changing screen then the keylogger is hosed. For example you have a small 4 character password, a small keyboard is displayed on the screen in a random order and you just select the password from there.

Neat idea. Why randomly changing instead of a fixed QWERTY layout, though? Are you worried about TEMPEST-based attacks?

It would also be nice to have some javascript to display the number as *, after it has been selected

Can you explain which numbers you want to hide with * ?

Regards,
Eric

[Guest]

Eric,

Putting the key (or part of it) on a USB key has the advantage that the key is not stored on the HD all the time and also you can take it with you to various locations.

Picking the password with the mouse avoids using the keyboard. However if the keylogger knows the UI from which you select the password then it can track your mouse position and clicks and discover the password. For example on win32 you can use charmap.exe to type your password with the mouse. However charmap.exe is a well known program. So a keylogger can compute at least the relative difference between letters that you selected.

The part about not displaying the ui and password for long amounts of time is used to complicate the life for keyloggers that take screen shots. If your password is displayed on screen as you select it then the screen shot is more likely to capture it. So let's say you/we implement the part with selecting part of the password from dropwown lists. After you select the first character that character will stay on the screen for ever.

lov2cod

[Eric H. Jung]

OK, I understand now.

The part about not displaying the ui and password for long amounts of time is used to complicate the life for keyloggers that take screen shots. If your password is displayed on screen as you select it then the screen shot is more likely to capture it. So let's say you/we implement the part with selecting part of the password from dropwown lists. After you select the first character that character will stay on the screen for ever.

They can take screenshots all they like, but if the chosen characters are masked with *****, the screenshots are useless.

So would you be satisfied with an optional drop-down<select/> box for entering the master password in the Firefox/Mozilla extension, or do you want a randomly changing keyboard for the extension and a drop-down box for the website version?

[Guest]

Eric,

I would be happy  with (and grateful for) anything that is easy to code, fits in your architecture/design and allows you to select part of your password with a mouse without displaying it on screen.

I am also very happy with password maker and I will keep on using it with or without the feature above :)

lov2cod

[Miquel 'Fire' Burns]

Another solution, though a bit extreme and may not be worth it, is virtual PC software running FireFox with the extension or web site, because the keylogger won't have an easy way of using that software to detect the correct settings. :)

[Guest]

In virtual PC keyloggers still capture the keys ... unless I am missing something. Even some self contained solutions like Black Dog are not imune to keyloggers (www.projectblackdog.com).

lov2cod

[Miquel 'Fire' Burns]

What I'm saying is that if the keylogger is only on the host PC, the logger has no info about the guest system, and unless it's doing the screen shot stuff, how will it know you were entering a password. This is provided you design the Virtual PC to not use network connections, or can only talk with the Host OS and nothing else (with the two OSes being different, like Linux and Windows).

Let's drop this though for now, too much work is needed for too little gain in the long run.

[Eric H. Jung]

lov2cod,

I would be happy with (and grateful for) anything that is easy to code, fits in your architecture/design and allows you to select part of your password with a mouse without displaying it on screen.

Just curious, are you able to contribute any coding efforts yourself?

[Guest]

Eric,

Let me know how I can help ... not much time available right now ... but this may be quick and fun.

:)

Not sure available time will lead to a valuable contribution.

[email protected]

[Felipe]

Eric,

I would be happy  with (and grateful for) anything that is easy to code, fits in your architecture/design and allows you to select part of your password with a mouse without displaying it on screen.

I am also very happy with password maker and I will keep on using it with or without the feature above :)

lov2cod

I like the "choose password with your mouse" idea. I think it should be implemented. I would think that a standard QWERTY layout would suffice, but some just can't be careful enough! One for the online version, and one for the FX extension ( i don't use IE anyhow). If they keyboard layout is random, I don't care. More security the better, I suppose.
Felipe

[Eric H. Jung]

Tyrantmizer, can you add this to the feature request list? "On-screen keyboard for master password entry". Looks like it slipped through the cracks. I'd completely forgotten about this till Felipe bumped it.

Thanks,
Eric

[Eric H. Jung]

For those who can't wait for this feature, you can already achieve this on Windows (albeit not very conveniently) by using the Character Map tool:



It allows you to select any character from an on-screen keyboard, and copy-and-paste that character into another window.