wok-key: dealing with keyloggers on net-cafe computers
Bill McGonigle
bill at bfccomputing.com
Tue Aug 25 17:54:27 EDT 2009
I'm usually pretty paranoid about typing my passwords on any computers I
don't own. I assume most have keyloggers installed, as I've seen some
that do.
The problem is, internet cafes are really darn handy. I so rarely type
confidential material in my email but still have to disclose my password
to get access.
So, I made an attempt to find a way to get around this. Demo here:
http://bfccomputing.com/wokkey/
The idea is this: when the page loads, it creates a random selection of
two-character lower-case letter codes, and maps one to each of the keys
on a keyboard (US for now). You type in these two character codes
instead of your password and javascript copies the correct codes over to
your password field. This is probably not immune to frequency analysis
or to some sort of hypothetical screen-capture+keylogger malware but I
think it helps with vanilla keyloggers. You can type extra bogus codes
to poke at the frequency analysis if you want, the javascript will
auto-delete them.
So far, I've got it working with SquirrelMail (the version that comes
with Fedora 10). It takes me about 30 seconds to enter a 10-character
password. If anybody wants to play with that (a poorly hacked
login.php) or give feedback, reply here or to me. I'm curious if
anybody besides me would actually use such a thing. :)
Thanks,
-Bill
--
Bill McGonigle, Owner
BFC Computing, LLC
http://bfccomputing.com/
Telephone: +1.603.448.4440
Email, IM, VOIP: bill at bfccomputing.com
VCard: http://bfccomputing.com/vcard/bill.vcf
Social networks: bill_mcgonigle/bill.mcgonigle
More information about the gnhlug-discuss
mailing list