Half a croissant, on a plate, with a sign in front of it saying '50c'
h a l f b a k e r y
If ever there was a time we needed a bowlologist, it's now.

idea: add, search, annotate, link, view, overview, recent, by name, random

meta: news, help, about, links, report a problem

account: browse anonymously, or get an account and write.



A login with protection from keyloggers

A protection from simple keyloggers & easy-to-remember passwords, encode your input!
  (+11, -3)(+11, -3)
(+11, -3)
  [vote for,

I freqently use other computers to check my mail, but I'm afraid there could be keyloggers running. Also, I do not want to frequently change my password. So. I have an idea.

On login page: An option to enter password using some arbitrary one-time combinations for your password.

FOR EXAMPLE, everytime I opened a login page, a random list of key-combination equivalents to alphanumerals would be generated:

a: f5, i: i, q: gr, y: iu, 6: ro
b: 48av, j: 8i, r: u, z: ai, 7: ta
c: 4, k: 0g, s: 111, 0: dd, 8: aa
d: 05, l: d4, t: 9h, 1: zh, 9: f
e: gq1, m: 0, u: mw, 2: hi
f: yu, n: ri, v: x, 3: ow
g: an, o: so, w: 74i, 4: ne
h: 3, p: 00, x: m, 5: uh

If your password would be something like "f4hou5e5", you'd type "yune3somwuhgq1uh", so no one would log your real password, and every time the "password" would be different.

What's more, this actually makes it possible to have easy-to-remember passwords made of simple words, i.e., "elephant", "congruence",...

To make sure it is impossible to guess the password by collecting information of multiple logins, there could be generated by several random symbol combinations for each alphanumberal. E.g.,

a: f5,uz1,eu
b: 48av,ki,1
c: 4,yhi,z6
d: 05,hhi,i
e: gq1,nt,05

So, if your password was "elephant", you'd enter "gq1d4nt003f5ri9h" instead of "gq1d4gq1003f5ri9h". For the first "e" you use the first symbolic equivalent "gq1", and for the second "e" you use the another "nt". So there wouldn't be any logical pattern, any connections with anything. Your entry could only suggest the average number of symbols in your real password, but it's your problem if you create a very short password.

Another one point. As you see, the combinations sometimes become quite long. I think from simple keyloggers there would be enough simply randomly jumbled letters. i.e.,

a: d, i: i, q: x, y: c, 6: e
b: f, j: m, r: v, z: 9, 7: y
c: u, k: a, s: o, 0: p, 8: 8
d: n, l: 4, t: 7, 1: z, 9: k
e: 1,5,3, m: 0, u: j, 2: g
f: s, n: r, v: 6, 3: l
g: 5, o: w, w: 2, 4: e
h: 3, p: b, x: t, 5: a

"elephant" would be "145b3dr7" with the same number of symbols.

So, that's the protection from simple keyloggers.

Securing the display of the tables of symbolic equivalents would be another problem. The idea is that everytime you open a webmail login page or a banks login page, you see a new table of equivalents, and you use them to encode yor input.

Inyuki, Jan 19 2005

Dasher http://www.inferenc...DasherSummary2.html
Text input using mouse movement [david_scothern, Jan 19 2005]


       Wouldn't work - all the information available to you is also available to the trojan/virus or whatever - you're not adding anything else.
hippo, Jan 19 2005

       It would protect from KEY loggers.
Inyuki, Jan 19 2005

       'congruence' is a pretty cool password - not sure i'd be able to remember it though... congruence... congruence... congruence...   

       Anyway, I like this idea, as long as it's able to be done in a quick and easy way. My telephone banking password is about 8-9 characters long, but whenever I call, they ask for say the 1st, 3rd and last characters, or the 2nd 5th and 6th characters. That might be an alternative to working out your code-number while suffering from a hang-over and lack of sleep, it would also take up less space on the screen.
zen_tom, Jan 19 2005

       [zen_tom] When you call your bank's call centre, one of the reasons they ask for only a few letters from your password is because the bank doesn't want the call centre worker to know your password - the computer system is asking him/her to ask you for certain letters.
hippo, Jan 19 2005

       Another approach would be a keyboard which has a "delogger" built into it -- that is, every time you type a character, that character plus 3 or 4 random ones are sent to the computer, plus a number telling the computer which of those characters is the "Real" one -- and the keyboard and computer are linked so you can't use the keyboard with any other computer.
phundug, Jan 19 2005

       [hippo]Yeah sure, but using that same idea would work here, to thwart key-loggers and make passwords harder to break.   

       It's a more active password acceptance method. The traditional <username> <password> is a nice way to access a passive system, but the added complication of a random request from the system would make guessing or logging a password much more difficult.
zen_tom, Jan 19 2005

       Use something like Dasher (see link)
david_scothern, Jan 19 2005

       Are you trying to protect against a hardware or software keylogger? If we're talking about a hardware keylogger that connects between the keyboard and the computer than Dasher or phudong's suggestion would provide some protection. If we're talking about a software keylogger, I'd say you're out of luck. Both of those eventually have to send the keystrokes to some other piece of software.   

       Of course if a dasher-like interface were implemented on a web page, it might be difficult for software on the local computer to capture enough info to figure out the password. Unfortunately it would be somewhat easier for someone to look over your shoulder and read your password as you type it.   

       [Inyuki]'s idea would actually provide some marginal protection from a software keylogger. However, keylogging software could be made that would also capture the screen at the same time, so then someone could go back and look at the key that was being displayed while you typed. Assuming the key was displayed as a graphic using a hard to OCR font, that would make decoding the password a tedious manual process. You might think that such a keylogger would have to store way too much data, but it really would only need to capture the screen when a non-dictionary word (like an obfuscated password) was typed, and it could probably apply some fairly serious compression to the picture without compromising the readability too much.
scad mientist, Jan 19 2005

       The "table" could be displayed only when your mouse is over a specific area* on the page...   

       Letter equivalents could be different words instead of obscure symbol combinations...   

       * It would be explained in words, how to find this area... Also, the login page could be made to mildly change its appearance all the time, and also on every movement of mouse, so it wouldn't be possible to determine when exactly the "table" is displayed and when to take the screenshot.
Inyuki, Jan 19 2005

       And how do you know that this computer doesn't have a hosts file set up to redirect you to a different server that spoofs the web page to capture your password?   

       My point is that if you're paranoid and don't trust the hardware/software you're running on, you can't be sure that your password can't be captured unless you use an encripted login that runs on some hardware that you trust and carry with you. That role is filled by a smart card.   

       Apparently here in the USA we aren't very paranoid because even banks don't generally have the option for smart card login. Your system makes login a bit more secure, but since it is somewhat inconvenient to use, I suspect that if people were paranoid enough to want to use your solution, they would spend a little more money and skip straight to using smart cards.   

       This in an interesting idea for a different way to do things. I just don't think it has much of a market niche. But hey, this is the halfbakery, so i'll give it a bun for being interesting.
scad mientist, Jan 19 2005

       People don't just come in the paranoid and not paranoid varieties. Many site have regular and secure login options, and logout options which specifically mention public computers. This would make a good gimmick for a web based email service.
tiromancer, Jan 19 2005

       //And how do you know that this computer doesn't have a hosts file set up to redirect you to a different server that spoofs the web page to capture your password?//   

       I believe the https: protocol takes care of that, at least with browsers that display the actual hostname of the machine being accessed.
supercat, Jan 19 2005

       supercat hi, the https may take care of the password on its way to the server, but not from the keyboard to the pc. So this great halfbaked idea (Hippo your wrong, it WILL work), is saying that :   

       a. A standard for passwords should be created along with "current key generator".   

       b. With your browser you go to: www.inyuki.com (the inventor's site) and see a random table of letters. On a piece of paper you encrypt your password by using the "code" and write it in on the site (e.g. Halfbakery Hotmail or Paypal). perhaps you'll need to add a short word given to you as "key".   

       c. The sites that ask for a password use this service (Get Hotmail / HalfB or Paypal to agree to this) and although you did not enter your real password (Congruents) but rather the coded one (jaberwocky75) the site on the spot recieves Congruents. Using the same password again (jaberwocky75) wont work anymore...   

       d. And you cannot reconstruct Congruents back from jaberwocky75, because 5 minutes later jaberwocky75 means something else...
pashute, Jan 31 2006

       [pashute] That doesn't cover for the eventuality that keyloggers will have some sort of screen capture ability in the future, unless you do the whole scribble-it-down thing, which seems a bit much work.   

       However, this is a very good idea.
shapu, Jan 31 2006

       I would suggest that it might be useful for computers to include an encrypting mini-keyboard which was only accessible to administrator-level processes (this would only be meaningful on systems that limit adminstrator access to processes that should have it). Administrator-level password requests would only accept input from this mini-keyboard.   

       This would protect against social-engineering hacks such as popping up a fake box asking for the administrator password at a time when when the administrator password might reasonably be asked for. A user might see the box and type in his password, but if he did so on the encrypting mini-keyboard it couldn't be captured by the rogue application.
supercat, Jan 31 2006


back: main index

business  computer  culture  fashion  food  halfbakery  home  other  product  public  science  sport  vehicle