• Advertisement
Sign in to follow this  

Keyloggers and Password Edit Boxes

This topic is 4482 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Does anyone know if the standard Windows password entry control has any sort of protections on it to stop snooping processes like keyloggers from intercepting the password as you type it? I've started to use Remote Desktop a lot from the clusters at school and I'm afraid that someone will get admin access to my box in my dorm room.

Share this post


Link to post
Share on other sites
Advertisement
Quote:
Original post by Telamon
Does anyone know if the standard Windows password entry control has any sort of protections on it to stop snooping processes like keyloggers from intercepting the password as you type it?

I've started to use Remote Desktop a lot from the clusters at school and I'm afraid that someone will get admin access to my box in my dorm room.


No password boxes don't have any such protection. I suggest using an encrypted connect (I don't know if remote desktop has one or not) and changing your password on a regular basis. You might also consider not using remote desktop as admin so you can limit the damage should someone get unauthorized access. Also back up important information and consider encrypting it if it's sensitive.

Share this post


Link to post
Share on other sites
I don't know if having an encrypted connection will help this or not, because at some point, the remote desktop app on the host machine needs to generate a plain old (unencrypted) key event for the sake of the application that has the password box, and the key event can be intercepted as usual.

If someone knows a good way to defend against keyloggers then I'd be interested too. I usually just make sure to use throwaway passwords, and change them often.

Share this post


Link to post
Share on other sites
Quote:
Original post by pinacolada
I don't know if having an encrypted connection will help this or not, because at some point, the remote desktop app on the host machine needs to generate a plain old (unencrypted) key event for the sake of the application that has the password box, and the key event can be intercepted as usual.

If someone knows a good way to defend against keyloggers then I'd be interested too. I usually just make sure to use throwaway passwords, and change them often.


I suggested the encrypted connection in case someone logged the network traffic. I don't know if Remote Desktop sends the password in plain text or not.

Share this post


Link to post
Share on other sites
The best defense against keyloggers is to trust the system you're using. Changing passwords doesn't help since it takes mere seconds to change your password after they've keylogged it; and that's assuming they're nice, and don't just nuke your machine after login. All the password changing in the world isn't going to help then. And realistically, all the password changing isn't going to help if they 'just' compromise your machine, since everything there should then be considered compromised and possibly replaced with malicious versions.

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
Defense against keyloggers for the ultra paranoid:

Keyloggers don't track the mouse, or window focus, so just type what seems to be some kind of E-mail or post to a message board such as this one. Each time you type a character of your password, switch to the password entry box.

It will look totally innocent to those reading the logs, and they will be none the wiser about your passwords.

Share this post


Link to post
Share on other sites
Quote:
Original post by Anonymous Poster
Defense against keyloggers for the ultra paranoid:

Keyloggers don't track the mouse, or window focus, so just type what seems to be some kind of E-mail or post to a message board such as this one. Each time you type a character of your password, switch to the password entry box.

It will look totally innocent to those reading the logs, and they will be none the wiser about your passwords.


31337 [grin]

Share this post


Link to post
Share on other sites
One thing i do for my file encrypter app. (basically it encrypts a file, and makes it a self-decryting exetutable, very nifty).

It fires a few hundred random keypresses/sec using sendkeys in vb.
It can filter the keypresses out, as it knows what was sent, but no other programs can.

As for remote access..... for winxp, i use the remote assistance program, and i send an invitation to myself.

I can then dial in, but after i've used it, the invitation is no longer valid, and can't be used again :-)

From,
NIce coder

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
Quote:
Original post by Nice Coder
It fires a few hundred random keypresses/sec using sendkeys in vb.
It can filter the keypresses out, as it knows what was sent, but no other programs can.


That's no good for a hardware keylogger, though...

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
Quote:
Original post by Nice Coder
It fires a few hundred random keypresses/sec using sendkeys in vb.
It can filter the keypresses out, as it knows what was sent, but no other programs can.


Furthermore, sendkeys doesn't actually simulate a key press, does it? Doesn't it just invoke the event handler for the window, as if a key had been pressed? In that case, there are many software keyloggers that wouldn't be fooled by this either.

Share this post


Link to post
Share on other sites
Might I ask what the point of an encrypted self-decrypting executable is?

Share this post


Link to post
Share on other sites
Quote:
Original post by daerid
Might I ask what the point of an encrypted self-decrypting executable is?


Haha, pwned. I'm curious as well.

How about typing random letters into notepad, than copy/pasting the letters individually into the password box? A hardware keylogger will only catch the copy/paste hotkeys, and I don't think the software keylogger would be monitoring the clipboard. Would that work?

Share this post


Link to post
Share on other sites
What about the on screen keyboard? Or does it use SendInput? (thus will still be caught by keyloggers)

Share this post


Link to post
Share on other sites
Quote:

Furthermore, sendkeys doesn't actually simulate a key press, does it? Doesn't it just invoke the event handler for the window, as if a key had been pressed? In that case, there are many software keyloggers that wouldn't be fooled by this either.

If the keyloggers doesn't log keys "pressed" using sendkeys, the problem is solved. Just create an aspplication mypassword.exe and put it on a floppy/cd, when run it's switches to the correct login window and send's the keys need to login.

I like the crazy idea, basicly creating an app that send lot's of random garbage and switching between your window and the password window.

Like this:
"aklsj.pa,wiqroe.ss,werplsödsfpwe.wor,249welksö.r,sdsadipqwe._,sdfoiopwrklds08"
. = Switch focus to password dialog
, = Switch focus to you application
_ = Enter

So what password did I typ in?

This is the string that the keylogger see's (if it's not logging input focus changes)
aklsjpawiqroesswerplsödsfpwewor249welksörsdsadipqwe_sdfoiopwrklds08

Share this post


Link to post
Share on other sites
Quote:
Original post by Telamon
I've started to use Remote Desktop a lot from the clusters at school and I'm afraid that someone will get admin access to my box in my dorm room.

Perhaps not using Remote Desktop to log in as admin would help here? Work from a limited account, so that even with your password they can't run apps as administrator.

CM

Share this post


Link to post
Share on other sites
Quote:
Original post by eq
If the keyloggers doesn't log keys "pressed" using sendkeys, the problem is solved. Just create an aspplication mypassword.exe and put it on a floppy/cd, when run it's switches to the correct login window and send's the keys need to login.

And then you get up for a soda, and somebody swipes your CD.

arkheii: Windows won't let you paste into password boxes.

CM

Share this post


Link to post
Share on other sites
Security isn't my thing, but if I absolutely, positively, without a doubt had to log on remotely from an unsecure machine...

Two approachs. One is to issue a challenge on a log on attempt. You have to respond correctly to the challenge or you're locked out. The other is limited use passwords, i.e. one log on. They might get what you typed but that isn't getting them anywhere.

How do you know? Use a programmable calculator, PDA, cellphone, whatever. What they need to log on simply is not and never was on the unsecure computer. That pretty well eliminates the crime of opportunity. Just like any other thief you still have to worry about being targeted. That's a people issue and a computer program isn't going to save you from trusting the wrong person.

Share this post


Link to post
Share on other sites
It's really surprising to me that there is no attempt made at keeping password entry boxes secure. Even just making key presses invisible to the system keyboard hooks when a pw box has focus would go miles towards making this stuff more secure.

Share this post


Link to post
Share on other sites
Quote:
Original post by Telamon
It's really surprising to me that there is no attempt made at keeping password entry boxes secure. Even just making key presses invisible to the system keyboard hooks when a pw box has focus would go miles towards making this stuff more secure.


Why is that suprising?

I mean, if someone has admin/root level on the box to install the logger, they can do far more dastardly things than install a keylogger [like replacing the code that creates password boxes into one that is less secure]. At some point, the OS has to trust the user.

I'd rather the OS trust someone that's got admin/root than introduce 'if focus is password box' wrappers into the code. That just seems fragile.

Share this post


Link to post
Share on other sites
It should be noted that someone doesn't need admin/root to steal your passwords - if they have access to your normal user account they can still trojan your desktop applications and obtain web passwords, passwords to other systems etc.

Mark

Share this post


Link to post
Share on other sites
Quote:
Original post by markr
It should be noted that someone doesn't need admin/root to steal your passwords - if they have access to your normal user account they can still trojan your desktop applications and obtain web passwords, passwords to other systems etc.

Mark


True, though the original post was regarding school/common machines, which would require admin/root to install the logger so that it survived between sessions.

Share this post


Link to post
Share on other sites
Use Direct Input?
I've got a faint memory of someone mentioning that system wide keyboard hooks doesn't trap Direct Input keys.

Share this post


Link to post
Share on other sites
Use Direct Input?
I've got a faint memory of someone mentioning that system wide keyboard hooks doesn't trap Direct Input keys.

Share this post


Link to post
Share on other sites
Quote:

I've got a faint memory of someone mentioning that system wide keyboard hooks doesn't trap Direct Input keys.


are you sure about that? I'd think it wouldn't matter.

Share this post


Link to post
Share on other sites
use the system banks use for online banking:
A randomly generated list of numbered single-use passwords. Upon login you are asked to enter a one specific password randomly chosen by the host.

Immune to key-loggers and pretty much anything else.

I don't know any software that supports that authentication scheme though...

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement