Here's the article. It includes nice advice on how to have passwords that even YOU don't know--and how to use them in a way that helps avoid keystroke recorders.

Which brings up a question: Suppose one wanted to make a random password--a long string of random characters plucked on a keyboard. That's a good password, but it COULD conceivably be recorded by a keystroke recorder WHEN you're creating it (I will say, the idea of keystroke recorders frightens me most regarding computer security--and their use is not unknown among some LE departments).

So, what would happen if you created such a password, and then used your mouse to select and overwrite (again, randomly) random parts/characters of the password--and did that over and over in a random fashion? You would have a random password, with random characters, over-written repeatedly in random portions, by more random characters, a random number of times...

Would that foil keystroke recorders, because they would have no way to know which characters or text you selected for overwrite using your mouse?

Sounds plausible, but are you asking out of curiosity or are you paranoid about it?

Voice control would do it...

My problem with security is an epistemological one: it's easy to read an article and study a topic and "know what you know." But in the area of security it's not always easy to know what you DON'T know--and of course, it's what you don't know that represents a security danger to you.

So, I try to think about such things more or less as an intellectual exercise.

The article I linked to recommends storing your complex password in a secure place, and then copying and pasting, rather than typing it, in order to foil the problem of keystroke logging. The problem is that you would have to type to SET UP those passwords originally...and, you would probably have to type a password in order to unlock the security that protects the place your keep your passwords!

My idea was that this would be easy to get around if the keystroke logger could ONLY log keystrokes--and nothing else. You could write and overwrite a password field, using the mouse to locate your changes, and it would be essentially impossible to decode your passwords from a mere record of keystrokes--because it would be impossible to tell which strokes "counted," and WHERE those strokes resided within the password.

But I have zero experience with ACTUAL security issues: I was hoping someone had enough experience to determine whether my idea was reasonable or not. If keystroke loggers also recorded all mouse positions, clicks, and selections, then virtually everything you did on your computer could be "decoded" to determine what you were up to.


This suggests another question: If one used a linux-based operating system on an encrypted memory stick for sensitive applications and browsing, then it would seem likely one could go a long way toward avoiding software logging--especially if one regularly re-loaded such operating systems and changed one's passwords. In that case (I think--I'd like an expert opinion) you would really only have to worry about hardware keystroke loggers--and I would suspect those would probably NOT also record mouse data (which, really, if I understand it correctly, would only be expected to reside in software--and not the hardware of the mouse itself.

SWIMfriend - Have you looked into One Time Passwords (OTP)? I've been testing this method for a few years now and while it has a few flaws it aims to solve the keylogger problem (and some other issues) you describe.

https://www.yubico.com/
https://www.yubico.com/d...tware/validation-server/

This topic is of great interest to me and I will respond a bit more on this later. For now, I wanted to share this resource and get the gears turning.

The wikipedia article on keystroke logging seems quite informative. An interesting thing it talks about is network monitoring -- which seems like a potentially very useful thing for anyone to have.

That's the problem with all this: the more you learn, the more you realize what you DON'T know...lol.

This does look very cool indeed. Two things, though:

1) (Geez, maybe I'm paranoid. The fact is that I have UTTERLY NO REASON to believe that anyone should be interested in spying on me--however, as I gain interest in perhaps generating...ahem...lifetime supplies...just as b*rk issues are becoming inflamed, I'd like to think about COMPLETELY RE-DOING my computer and system, and starting all again with hyper-vigilant security awareness--including new ISP, etc.) but....problem #1: Whenever I deal with a second party I have to ask the question "How do I know they can be trusted? If I were a high-level government agency the FIRST THING I'd think of would be to start a company that many people might think of as a "security company," and then backdoor the pants off it. (like, for example, a VPN--or tor, which was FINANCED by government, no? For all I know tor stuff goes STRAIGHT to government servers!)

2) I am interested in password issues, but it's really keyloggers GENERALLY that I'd like to be able to thwart, if possible.

Take a look under the developer section of the site. They offer ALL the code as open-source packages. For the extra-paranoid you can run your own validation server. Take a look at the APIs and PDF documentation...

I'll expand on this more when I don't have a headache after a day of redoing my own systems for the exact same things you describe. After playing with Windows some it's back to Linux!

Right. I do feel good about open source stuff--another reason I like what TrueCrypt represents.

I've been interested in security for a long while now too.

If you use use windows onscreen keyboard, it uses mouse clicks and no keyboard strokes are stored.
Start > All Programs > Accessories > Ease of access > On-Screen Keyboard

Also the use of 'Auto Form Filling' can have similar benefits...

This was also interesting, copy pasted from another forum:
I used to keylog people all the time, so i'll give you some tips from experience. The keylogger can be made undetectable very easily, especially from commercial software like Norton, Avast, etc. through packaging/binding them with special rootkits.

Anyways, it tracks keystrokes, but not copy and pastes. So i'd suggest if you know you're logged and you NEED to enter a CC # for some reason, here is what you do:

Open notepad, have credit card number handy, and make a pattern you recognize only. Maybe if your # was 1892 (first 4 digits as an example), then you'd make it so you can type random numbers, but every 6th digit is a number. So it'd be 29384110202818279911183228374 etc. and then simply copy and paste the number. It will be nearly impossible for anyone to figure that out.

*I will infer then that most people interested in keystroke logging DO NOT utilize capacity to also log mouse data--so that opens a lot of possibilities for safety, including my original ideas.

Advanced keyloggers work with clipboard and also take screenshots of the screen so virtual keyboard in not that useful.

And it gets worse - TEMPEST
https://www.youtube.com/watch?v=B05wPomCjEY
https://www.youtube.com/watch?v=ozl8_8wzEVI

About here Tor and the military, here is a comment from Michael Reed, one of the original designers of Tor.



https://lists.torproject...k/2011-March/019898.html
https://lists.torproject...k/2011-March/019913.html

To put things in perspective, ARPANET was funded by United States Department of Defense and National Christian Foundation funded Tor too. Can I get "Jesus owns all the nodes!"
https://www.torproject.org/about/sponsors.html.en


I am pretty surprised that article did not mention KeePass which is, in my experience, kind of a standard password manager recommendation.

"But consider yourself warned: Mr. Kocher said he did not use the software because even with encryption, it still lived on the computer itself. “If someone steals my computer, I’ve lost my passwords.”

Offline backup of the password manager data is always recommended.

"Mr. Grossman said he did not trust the software because he didn’t write it"

Source code is usually available if one is proficient enough in such matters.

"Indeed, at a security conference in Amsterdam earlier this year, hackers demonstrated how easily the cryptography used by many popular mobile password managers could be cracked."

The paper deals with analysis of password manager software. They have shown some poor designs of some software but that is pretty much it. I would not avoid using reputable password managers due to this analysis.

http://www.elcomsoft.com/WP/BH-EU-2012-WP.pdf

For a nonFBI threat level, I recommend using full disk encryption, password managers (KeePassX or Password Safe) and long phrases with addition of random characters - "I love Nexus so much it's not even funny ieg56Hh".

http://www.guardian.co.u...ov/13/internet-passwords
https://www.schneier.com...9/recent_developm_1.html

It appears that even if an intelligence is great enough to devise decent security...there will always be a way to reverse-engineer and eventually render the security invalid. (virtual evolution in action)

I guess that the only True way to disclose sensitive information is to physically whisper it in to the recipients ear...Even then there is a trust issue.

I'ts a sad world...Big Bro is virtually omnipotent...