Re: Keylogger resistance
- From: Peter Fairbrother <zenadsl6186@xxxxxxxxx>
- Date: Tue, 23 May 2006 23:30:21 +0100
Matthijs Hebly wrote:
A "Better Alternative" is to use an on screen virtuaol keyboard.
I'm sure there are mouse movements & clicks loggers floating around
cyberspace to take care of that.
There are some software ones - but if they have that kind of access you are
probably 0Wn3d anyway, and there are more convenient ways.
Hardware mouse loggers, if they exist, can be defeated by randomising the
positions of the on-screen letters. Might defeat some software keyloggers
too, but don't expect too much.
My bank ask for three chosen letters from a "memorable information"
password, and they use three drop-down character/letter/number menus, one
for each position. While not giving me the warm fuzzies, it does mean that I
can in emergency use an insecure computer, and change password and memorable
information afterwards. Useful.
It would be inmproved if the starting positions of the alphabet were
randomised in the menus.
If you do try this, keep the alphabet in order and just randomise the
starting position for each menu, don't spray the letters at random over the
menu or page as it will be highly inconvenient to use. Also try and get all
the entries on the page, so the menu doesn't overflow up and down. Makes key
entry much easier.
m-o-o-t uses this technique to defeat hardware keyloggers and mouseloggers
(and as it runs on a bootable CD software access is very hard to obtain. A
BIOS trojan could in theory do it, but the ones I have seen aren't capable
of penetrating m-o-o-t's password entry security). I think tinfoilhat-linux
does something similar.
BTW, as the UK Government are considering cranking up Part III of RIPA (the
gimme-the-keys-or-go-to-jail law) you may well be seeing m-o-o-t soon.