Feature Request: Beating Keystroke Loggers

2005-04-01
2012-09-17
  • Kevin Kirkpatrick

    I'm just floating the idea out there, but... what if the main passwordsafe login had a button called "Use Keystroke Encoder (very slow)" When clicked, PWS randomly assigns every member of the set of acceptable password characters to a different character in that set (in an "onto" fashion). This mapping is then displayed on screen, and is used like a "secret decoder ring", allowing the user to enter his/her password, while keystroke loggers will capture only a random string of characters.

    Of course, screen-capturing keyloggers could still get the mapping, but I have no idea how common or reliable screen-capturing keyloggers are (or whether they exist at all). Minimally, though, this would seem to defeat physical keyboard loggers from sniffing the main pws password. Also, with a little work and creativity (e.g. mappings that change with each character pressed, flashing 100's of fake mappings between each real mapping, etc.) the cost of the screen capture + keylogger attack could be increased dramatically.

    Even though this would make the PWS password entry very tedious, it would also make me feel much more secure about accessing my passwords at a public or otherwise potentially compromised PC.

     
    • Rony Shapiro

      Rony Shapiro - 2005-04-04

      Interesting idea. For most users, the increased effort to use the program would outweigh the security benefits.

      Also, I'd guess that if a keyboard sniffer is installed, then protecting the master password would be the least of your problems - mainly because it's easy to change once you move to a trusted machine. All the other data you enter - word documents, spreadsheets, mail, would still be captured, regardless.

      Still, if anyone wants to code a "secure combination entry" option, I'll be glad to merge it in to the source tree.

      Rony

       

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks