Keyloggers and Password Edit Boxes
Quote:Original post by daerid
Might I ask what the point of an encrypted self-decrypting executable is?
Haha, pwned. I'm curious as well.
How about typing random letters into notepad, than copy/pasting the letters individually into the password box? A hardware keylogger will only catch the copy/paste hotkeys, and I don't think the software keylogger would be monitoring the clipboard. Would that work?
What about the on screen keyboard? Or does it use SendInput? (thus will still be caught by keyloggers)
Quote:
Furthermore, sendkeys doesn't actually simulate a key press, does it? Doesn't it just invoke the event handler for the window, as if a key had been pressed? In that case, there are many software keyloggers that wouldn't be fooled by this either.
If the keyloggers doesn't log keys "pressed" using sendkeys, the problem is solved. Just create an aspplication mypassword.exe and put it on a floppy/cd, when run it's switches to the correct login window and send's the keys need to login.
I like the crazy idea, basicly creating an app that send lot's of random garbage and switching between your window and the password window.
Like this:
"aklsj.pa,wiqroe.ss,werplsödsfpwe.wor,249welksö.r,sdsadipqwe._,sdfoiopwrklds08"
. = Switch focus to password dialog
, = Switch focus to you application
_ = Enter
So what password did I typ in?
This is the string that the keylogger see's (if it's not logging input focus changes)
aklsjpawiqroesswerplsödsfpwewor249welksörsdsadipqwe_sdfoiopwrklds08
Quote:Original post by Telamon
I've started to use Remote Desktop a lot from the clusters at school and I'm afraid that someone will get admin access to my box in my dorm room.
Perhaps not using Remote Desktop to log in as admin would help here? Work from a limited account, so that even with your password they can't run apps as administrator.
CM
Quote:Original post by eq
If the keyloggers doesn't log keys "pressed" using sendkeys, the problem is solved. Just create an aspplication mypassword.exe and put it on a floppy/cd, when run it's switches to the correct login window and send's the keys need to login.
And then you get up for a soda, and somebody swipes your CD.
arkheii: Windows won't let you paste into password boxes.
CM
Security isn't my thing, but if I absolutely, positively, without a doubt had to log on remotely from an unsecure machine...
Two approachs. One is to issue a challenge on a log on attempt. You have to respond correctly to the challenge or you're locked out. The other is limited use passwords, i.e. one log on. They might get what you typed but that isn't getting them anywhere.
How do you know? Use a programmable calculator, PDA, cellphone, whatever. What they need to log on simply is not and never was on the unsecure computer. That pretty well eliminates the crime of opportunity. Just like any other thief you still have to worry about being targeted. That's a people issue and a computer program isn't going to save you from trusting the wrong person.
Two approachs. One is to issue a challenge on a log on attempt. You have to respond correctly to the challenge or you're locked out. The other is limited use passwords, i.e. one log on. They might get what you typed but that isn't getting them anywhere.
How do you know? Use a programmable calculator, PDA, cellphone, whatever. What they need to log on simply is not and never was on the unsecure computer. That pretty well eliminates the crime of opportunity. Just like any other thief you still have to worry about being targeted. That's a people issue and a computer program isn't going to save you from trusting the wrong person.
Author
It's really surprising to me that there is no attempt made at keeping password entry boxes secure. Even just making key presses invisible to the system keyboard hooks when a pw box has focus would go miles towards making this stuff more secure.
Quote:Original post by Telamon
It's really surprising to me that there is no attempt made at keeping password entry boxes secure. Even just making key presses invisible to the system keyboard hooks when a pw box has focus would go miles towards making this stuff more secure.
Why is that suprising?
I mean, if someone has admin/root level on the box to install the logger, they can do far more dastardly things than install a keylogger [like replacing the code that creates password boxes into one that is less secure]. At some point, the OS has to trust the user.
I'd rather the OS trust someone that's got admin/root than introduce 'if focus is password box' wrappers into the code. That just seems fragile.
It should be noted that someone doesn't need admin/root to steal your passwords - if they have access to your normal user account they can still trojan your desktop applications and obtain web passwords, passwords to other systems etc.
Mark
Mark
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
