• Members of the previous forum can retrieve their temporary password here, (login and check your PM).

Very good password article...and question

Migrated topic.
SWIMfriend

SWIMfriend

Esteemed member
Senior Member
OG Pioneer
Senior member
Here's the article. It includes nice advice on how to have passwords that even YOU don't know--and how to use them in a way that helps avoid keystroke recorders.

Which brings up a question: Suppose one wanted to make a random password--a long string of random characters plucked on a keyboard. That's a good password, but it COULD conceivably be recorded by a keystroke recorder WHEN you're creating it (I will say, the idea of keystroke recorders frightens me most regarding computer security--and their use is not unknown among some LE departments).

So, what would happen if you created such a password, and then used your mouse to select and overwrite (again, randomly) random parts/characters of the password--and did that over and over in a random fashion? You would have a random password, with random characters, over-written repeatedly in random portions, by more random characters, a random number of times...

Would that foil keystroke recorders, because they would have no way to know which characters or text you selected for overwrite using your mouse?
 
My problem with security is an epistemological one: it's easy to read an article and study a topic and "know what you know." But in the area of security it's not always easy to know what you DON'T know--and of course, it's what you don't know that represents a security danger to you.

So, I try to think about such things more or less as an intellectual exercise.

The article I linked to recommends storing your complex password in a secure place, and then copying and pasting, rather than typing it, in order to foil the problem of keystroke logging. The problem is that you would have to type to SET UP those passwords originally...and, you would probably have to type a password in order to unlock the security that protects the place your keep your passwords!

My idea was that this would be easy to get around if the keystroke logger could ONLY log keystrokes--and nothing else. You could write and overwrite a password field, using the mouse to locate your changes, and it would be essentially impossible to decode your passwords from a mere record of keystrokes--because it would be impossible to tell which strokes "counted," and WHERE those strokes resided within the password.

But I have zero experience with ACTUAL security issues: I was hoping someone had enough experience to determine whether my idea was reasonable or not. If keystroke loggers also recorded all mouse positions, clicks, and selections, then virtually everything you did on your computer could be "decoded" to determine what you were up to.


This suggests another question: If one used a linux-based operating system on an encrypted memory stick for sensitive applications and browsing, then it would seem likely one could go a long way toward avoiding software logging--especially if one regularly re-loaded such operating systems and changed one's passwords. In that case (I think--I'd like an expert opinion) you would really only have to worry about hardware keystroke loggers--and I would suspect those would probably NOT also record mouse data (which, really, if I understand it correctly, would only be expected to reside in software--and not the hardware of the mouse itself.
 
SWIMfriend - Have you looked into One Time Passwords (OTP)? I've been testing this method for a few years now and while it has a few flaws it aims to solve the keylogger problem (and some other issues) you describe.

www.yubico.com

Yubico Home

Get the YubiKey, the #1 security key, offering strong two factor authentication from industry leader Yubico.
www.yubico.com

This topic is of great interest to me and I will respond a bit more on this later. For now, I wanted to share this resource and get the gears turning.
 
a1pha said:
SWIMfriend - Have you looked into One Time Passwords (OTP)? I've been testing this method for a few years now and while it has a few flaws it aims to solve the keylogger problem (and some other issues) you describe.

www.yubico.com

Yubico Home

Get the YubiKey, the #1 security key, offering strong two factor authentication from industry leader Yubico.
www.yubico.com

This topic is of great interest to me and I will respond a bit more on this later. For now, I wanted to share this resource and get the gears turning.
Click to expand...

This does look very cool indeed. Two things, though:

1) (Geez, maybe I'm paranoid. The fact is that I have UTTERLY NO REASON to believe that anyone should be interested in spying on me--however, as I gain interest in perhaps generating...ahem...lifetime supplies...just as b*rk issues are becoming inflamed, I'd like to think about COMPLETELY RE-DOING my computer and system, and starting all again with hyper-vigilant security awareness--including new ISP, etc.) but....problem #1: Whenever I deal with a second party I have to ask the question "How do I know they can be trusted? If I were a high-level government agency the FIRST THING I'd think of would be to start a company that many people might think of as a "security company," and then backdoor the pants off it. (like, for example, a VPN--or tor, which was FINANCED by government, no? For all I know tor stuff goes STRAIGHT to government servers!)

2) I am interested in password issues, but it's really keyloggers GENERALLY that I'd like to be able to thwart, if possible.
 
SWIMfriend said:
"How do I know they can be trusted? If I were a high-level government agency the FIRST THING I'd think of would be to start a company that many people might think of as a "security company," and then backdoor the pants off it. (like, for example, a VPN--or tor, which was FINANCED by government, no? For all I know tor stuff goes STRAIGHT to government servers!)
Click to expand...
Take a look under the developer section of the site. They offer ALL the code as open-source packages. For the extra-paranoid you can run your own validation server. Take a look at the APIs and PDF documentation...

I'll expand on this more when I don't have a headache after a day of redoing my own systems for the exact same things you describe. After playing with Windows some it's back to Linux!
 
I've been interested in security for a long while now too.

If you use use windows onscreen keyboard, it uses mouse clicks and no keyboard strokes are stored.
Start > All Programs > Accessories > Ease of access > On-Screen Keyboard

Also the use of 'Auto Form Filling' can have similar benefits...

This was also interesting, copy pasted from another forum:
I used to keylog people all the time, so i'll give you some tips from experience. The keylogger can be made undetectable very easily, especially from commercial software like Norton, Avast, etc. through packaging/binding them with special rootkits.

Anyways, it tracks keystrokes, but not copy and pastes. So i'd suggest if you know you're logged and you NEED to enter a CC # for some reason, here is what you do:

Open notepad, have credit card number handy, and make a pattern you recognize only. Maybe if your # was 1892 (first 4 digits as an example), then you'd make it so you can type random numbers, but every 6th digit is a number. So it'd be 29384110202818279911183228374 etc. and then simply copy and paste the number. It will be nearly impossible for anyone to figure that out.
 
*I will infer then that most people interested in keystroke logging DO NOT utilize capacity to also log mouse data--so that opens a lot of possibilities for safety, including my original ideas.
 
Advanced keyloggers work with clipboard and also take screenshots of the screen so virtual keyboard in not that useful.

And it gets worse - TEMPEST

About here Tor and the military, here is a comment from Michael Reed, one of the original designers of Tor.

BINGO, we have a winner! The original *QUESTION* posed that led to the invention of Onion Routing was, "Can we build a system that allows for bi-directional communications over the Internet where the source and destination cannot be determined by a mid-point?" The *PURPOSE* was for DoD / Intelligence usage (open source intelligence gathering, covering of forward deployed assets, whatever). Not helping dissidents in repressive countries. Not assisting criminals in covering their electronic tracks. Not helping bit-torrent users avoid MPAA/RIAA prosecution. Not giving a 10 year old a way to bypass an anti-porn filter. Of course, we knew those would be other unavoidable uses for the technology, but that was immaterial to the problem at hand we were trying to solve (and if those uses were going to give us more cover traffic to better hide what we wanted to use the network for, all the better...I once told a flag officer that much to his chagrin). I should know, I was the recipient of that question from David, and Paul was brought into the mix a few days later after I had sketched out a basic (flawed) design for the original Onion Routing.

The short answer to your question of "Why would the government do this?" is because it is in the best interests of some parts of the government to have this capability...
Click to expand...


To put things in perspective, ARPANET was funded by United States Department of Defense and National Christian Foundation funded Tor too. Can I get "Jesus owns all the nodes!" :D
www.torproject.org

The Tor Project | Privacy & Freedom Online

Defend yourself against tracking and surveillance. Circumvent censorship.
www.torproject.org www.torproject.org


I am pretty surprised that article did not mention KeePass which is, in my experience, kind of a standard password manager recommendation.

"But consider yourself warned: Mr. Kocher said he did not use the software because even with encryption, it still lived on the computer itself. “If someone steals my computer, I’ve lost my passwords.”

Offline backup of the password manager data is always recommended.

"Mr. Grossman said he did not trust the software because he didn’t write it"

Source code is usually available if one is proficient enough in such matters.

"Indeed, at a security conference in Amsterdam earlier this year, hackers demonstrated how easily the cryptography used by many popular mobile password managers could be cracked."

The paper deals with analysis of password manager software. They have shown some poor designs of some software but that is pretty much it. I would not avoid using reputable password managers due to this analysis.


For a nonFBI threat level, I recommend using full disk encryption, password managers (KeePassX or Password Safe) and long phrases with addition of random characters - "I love Nexus so much it's not even funny ieg56Hh".

www.guardian.co.uk

Read me first: Passwords are not broken, but how we choose them sure is

Bruce Schneier: I've been reading a lot about how passwords are no longer good security. The reality is more complicated
www.guardian.co.uk www.guardian.co.uk

Recent Developments in Password Cracking - Schneier on Security

www.schneier.com www.schneier.com
 
It appears that even if an intelligence is great enough to devise decent security...there will always be a way to reverse-engineer and eventually render the security invalid. (virtual evolution in action)

I guess that the only True way to disclose sensitive information is to physically whisper it in to the recipients ear...Even then there is a trust issue.

I'ts a sad world...Big Bro is virtually omnipotent...:?
 
Back
Top Bottom