wok-key: dealing with keyloggers on net-cafe computers
Ben Scott
dragonhawk at gmail.com
Tue Aug 25 19:07:03 EDT 2009
On Tue, Aug 25, 2009 at 5:54 PM, Bill McGonigle<bill at bfccomputing.com> wrote:
> The idea is this: when the page loads, it creates a random selection of
> two-character lower-case letter codes, and maps one to each of the keys
> on a keyboard (US for now).
Interesting.
Another option is a derived password scheme. The server displays a
bunch of plausible looking info at the logon page, some of which is
actually random. You follow some secret algorithm to transform that
into a password good for that logon only. The algorithm doesn't have
to be cryptographically strong; just something which will foil systems
which blindly try sniffed passwords.
As an example, I once wrote a program displayed the date, time, and
a "serial number" in the copyright banner immediately before logon.
The "serial number" was bogus, and actually varied a few inner digits
randomly. Combined with a static component, you got a password which
let you login.
Advantages: Doesn't need JavaScript. Entirely server-side, so no
client-side code to examine. Non-obvious to shoulder surfers.
Passwords are only good once and never re-used. If you want, save old
passwords and sound the alarm if re-use is attempted.
Disadvantages: Requires some thought on the part of the user.
You're still trusting a computer we're assuming to be compromised
(!!!).
Better still would be some kind of OTP generator (like those RSA key
fobs), but in software for a handheld computer/smartphone (which you
presumably always have with you). Hmmm, that seems like it should be
fairly straight-forward to implement. It might already be out there.
But you're still trusting a computer we're assuming to be
compromised (!!!?!?!).
> ... hypothetical screen-capture+keylogger malware ...
I've heard tell that some spyware specifically looks for form fields
to capture, since they're usually much more useful than an
unstructured stream of keystrokes. Typically, form fields are even
conveniently labeled with "credit card number", "expiration date",
etc. I have no idea how prevalent this is.
-- Ben
More information about the gnhlug-discuss
mailing list