Wednesday, June 30, 2010

Writing passwords can be helpful sometimes!!

“Do Not write passwords” is a well known sentence for regular computer users.

But writing the passwords can increase the security too.

“The Virtual Keypad with its dynamic keys minimises the risk of malicious codes capturing your keystrokes. Use Virtual Keypad and enjoy the convenience of online banking with complete security.” is a text I found in a famous bank website.

I feel virtual keyboard may not be the correct alternative to secure passwords from key loggers. While searching for the methods to hack virtual keyboards, I found many different ways. I accept that almost every software can be hacked but only the time taken and effort needed matters.

A Keylogger can either be a software or a hardware. Virtual keyboard can secure us from hardware keyloggers. Coming to the software, I can say no. Implementing a keylogger needs a deep technical knowledge as it runs at low level of Operating System. Current anti-virus programs can easily detect those programs. Where as to get the password from a virtual keyboard is comparatively easier as any program can get the screen shots. And the anti-virus will not treat these type of programs as a virus because capturing screen is a common activity.

Keyboard will be shuffled every time when a key is pressed in the virtual keyboard. The time taken to shuffle is very high when compared to the time taken to capture the screen. The image below is the result of the program I wrote to get the password information from the virtual keyboard.

Code snippet “creating an screenshot image related to the mouse position” in Mighty gives the basic idea of the hack.

I have an idea which can work better than the virtual keyboard.
When we copy and paste the text into the password field, keyloggers cannot get the data.
But getting the data from clipboard is very easy(I will come to this point later).

In the proposed login process, we have two password fields one is the traditional password field and the other is the one in which the user need to paste the password(say ’safeLogin password’) from clipboard. We will send the safe login password to the user’s e-mail address so that user can copy from there and paste in the respective password field.

Now this combination is similar to the public & private keys in encryption. The keyloggers cannot know the safeLogin password and the active attacker(may be the persons who share the computer with the user) cannot know the traditional password.

User needs to remember only one password as the other needs to be taken from the e-mail or from the text file.

As we can access the clipboard, when the user opens our website, the script will send some random data with the same length of the safeLogin password to the clipboard in regular intervals. If there is any difference in the clipboard data, then we will store that. When the user tries to paste the safeLogin password, we will take the last password user sent to the clipboard. As we generate the random data, we can differentiate which one is the password and which one is the random data. Where as the attackers cannot recognize which one is the password and which one is not as all are similar and random.

We can make even complex with three safeLogin passwords.


• The user requests the bank for the net banking facility.
• Bank sends an e-mail to the user with user id and temporary password.
• User changes the temporary password.
• Bank sends another e-mail with three passwords highlighting one of them.

first e-mail content

user id: abcd
password : #a52@G9$
second e-mail content

safeLogin passwords:

sun@west(check this)

Login process

The login screen contains two password blocks. One contains the traditional password field. and the next block contains three safeLogin password fields and three radio buttons corresponding to each password field.

steps user will follow to login:

• types the user-id (abcd) and password(which user selected).
• copies the three safeLogin passwords one by one and pastes in any of the three password fields.
• clicks on the radio button corresponding to the password with (check this) in the e-mail.

How can we say this process safer?

The first password is a secret the user needs to type the password using the keyboard. Attacker can get this password with the help of keylogger.

As the safeLogin passwords are copy-paste, keylogger will not work here. As the programs can read the clipboard data easily, we use three passwords and select one.

Even the program collects all the three passwords, attackers needs to know which one must be selected.

Along with this, we can send random data to the clipboard at equal intervals and this will increase the security further.

Please help me if I am walking in a wrong path. write to me

No comments: