Re: Writing a password entry dialog

From: Valery Pryamikov (Valery.Pryamikov_at_nospam.sm.siemens.no)
Date: 10/08/03 

Date: Wed, 8 Oct 2003 09:14:16 +0200

Edson,
It looks that password based authentication doesn't actually suits you,
since you are talking about keylogger or similar attacks scenarios. Try
reconsidering your design to use certificate based authentication. With
later you have choice to store certificate's private key on smart card/usb
dongle or user profile and let CSP (/device) to handle private key's
security.

-Valery.

"Edson E. W." <e@e.w> wrote in message
news:24a6701c38d0b$78ac72b0$a601280a@phx.gbl...
> It seems the simplest thing on world - to write a password
> entry dialog just set the style of a edittext control to
> ES_PASSWORD.
>
> But the problems start here.
>
> 1) A keylogger program could record the keystrokes adding
> a SetWindowsHookEx keyboard hook procedure.
>
> 2) Other programs could hook to my application (actually
> an ActiveX running in Internet Explorer) and examine the
> contents of the edittext control using the WM_GETTEXT
> message.
>
> 3) There are screen loggers - even if I forbid entering
> the password as keystrokes - the user must click in a
> picture of a keyboard - , a program could simply watch all
> windows in the system waiting for my password entry
> dialog, and record all clicks in the dialog.
>
> 4) Name other problems here...
>
> What kind of countermeasures can I take? (I assume that a
> hardware keylogger is not installed, nor a device driver
> that intercepts the keys. Only trojan user mode code).
>
> Is it easy (or at least feasible) to unhook all keyboard
> hook procedures?
>
>