Author Topic: Possible Solution To Keyloggers  (Read 6712 times)

0 Members and 1 Guest are viewing this topic.

Offline Riverhead

Though a pain an option would be to boot Ubuntu via stock Live CD, install the client (hopefully thin client will be out shortly), restore your .json from a read-only SD card, online drive, whatever. Do your transactions, backup the .json to wherever you store it and turn the computer off.


If you're paranoid about BIOS hacks buy a cheap $200 laptop and only use it for this purpose.

Offline Method-X

  • Hero Member
  • *****
  • Posts: 1131
  • VIRAL
    • View Profile
    • Learn to code
  • BitShares: methodx
Not sure how this helps.
If your computer is compromised, it won't matter how strong your password is or how you input it...

It definitely matters how you input the password. If my computer is compromised with a keylogger and the hacker gets my wallet file, he still won't be able to access it due to the wallet being secured with a strong password.


If someone can run a keylogger on your computer, he can certainly run anything else like software to capture images from the camera.


Anyway, he doesn't even need to do that. Once the wallet is in an unlocked state, he can just transfer any funds to his own account..

This isn't how hacking works. The hacker doesn't literally have complete control over your computer (in most all real world cases). The malicious code would likely:

a) Search for and send the wallet .json file.
b) Log keystrokes and send log every X days.

While it's technically possible to log video, it's nowhere near as common or easy to do.

All that aside though, using a QR code to log in would at the very least allow me to input a strong 100 character password in a user friendly way.


Offline arubi

  • Sr. Member
  • ****
  • Posts: 209
    • View Profile
wouldnt it be like 2fa?

Nope, it's just letting the user input a password in a more secure way.


Could also do on-screen keyboard. All modern OS's have this, though I like the idea of some sort of non-typed input. Perhaps a third party add-on.

The problem with an on screen keyboard is I have to use a password I can hold in my memory and it can't be too difficult to type out.

QR code login:

a) Allows for LONG secure passwords
b) Keylogger resistant
c) User friendly (hold paper up to camera)

There's a chance that your webcam could be spied on as well, though, isn't there?

I use a password manager with copy-to-clipboard functionality. The password is never shown, and the clipboard is cleared after 10 seconds. Easy!


It doesn't even matter that the password is not shown. It's still being "typed" into the "unlock wallet" password field by the password manager software.
Also, you do input a master password to access the database, so someone could just log that and copy the database.

Point is, if the operating system is compromised, then there's no way to keep using it for anything.


** saw your edit, my point still holds

Offline roadscape

wouldnt it be like 2fa?

Nope, it's just letting the user input a password in a more secure way.


Could also do on-screen keyboard. All modern OS's have this, though I like the idea of some sort of non-typed input. Perhaps a third party add-on.

The problem with an on screen keyboard is I have to use a password I can hold in my memory and it can't be too difficult to type out.

QR code login:

a) Allows for LONG secure passwords
b) Keylogger resistant
c) User friendly (hold paper up to camera)

There's a chance that your webcam could be spied on as well, though, isn't there?

I use a password manager with copy-to-clipboard functionality. The password is never shown/typed, and the clipboard is cleared after 10 seconds. Easy!

Edit: and yes clipboard could be unsafe too, but here's a possible solution: http://keepass.info/help/v2/autotype_obfuscation.html
« Last Edit: September 13, 2014, 05:26:51 pm by roadkill »
http://cryptofresh.com  |  witness: roadscape

Offline arubi

  • Sr. Member
  • ****
  • Posts: 209
    • View Profile
Not sure how this helps.
If your computer is compromised, it won't matter how strong your password is or how you input it...

It definitely matters how you input the password. If my computer is compromised with a keylogger and the hacker gets my wallet file, he still won't be able to access it due to the wallet being secured with a strong password.


If someone can run a keylogger on your computer, he can certainly run anything else like software to capture images from the camera.


Anyway, he doesn't even need to do that. Once the wallet is in an unlocked state, he can just transfer any funds to his own account..

Offline liondani

  • Hero Member
  • *****
  • Posts: 3737
  • Inch by inch, play by play
    • View Profile
    • My detailed info
  • BitShares: liondani
  • GitHub: liondani
Not sure how this helps.
If your computer is compromised, it won't matter how strong your password is or how you input it...

It definitely matters how you input the password. If my computer is compromised with a keylogger and the hacker gets my wallet file, he still won't be able to access it due to the wallet being secured with a strong password.

 +5%

Offline Method-X

  • Hero Member
  • *****
  • Posts: 1131
  • VIRAL
    • View Profile
    • Learn to code
  • BitShares: methodx
Not sure how this helps.
If your computer is compromised, it won't matter how strong your password is or how you input it...

It definitely matters how you input the password. If my computer is compromised with a keylogger and the hacker gets my wallet file, he still won't be able to access it due to the wallet being secured with a strong password. Keyloggers don't log video from a computer's camera.
« Last Edit: September 13, 2014, 05:16:34 pm by MeTHoDx »

Offline arubi

  • Sr. Member
  • ****
  • Posts: 209
    • View Profile
Not sure how this helps.
If your computer is compromised, it won't matter how strong your password is or how you input it...

Offline Method-X

  • Hero Member
  • *****
  • Posts: 1131
  • VIRAL
    • View Profile
    • Learn to code
  • BitShares: methodx
wouldnt it be like 2fa?

Nope, it's just letting the user input a password in a more secure way.


Could also do on-screen keyboard. All modern OS's have this, though I like the idea of some sort of non-typed input. Perhaps a third party add-on.

The problem with an on screen keyboard is I have to use a password I can hold in my memory and it can't be too difficult to type out.

QR code login:

a) Allows for LONG secure passwords
b) Keylogger resistant
c) User friendly (hold paper up to camera)

Offline cryptillionaire

  • Full Member
  • ***
  • Posts: 153
    • View Profile
wouldnt it be like 2fa?
2FA via google auth or yubikey also would be a really handy optional feature.
If there's an opensource 2FA hardware usbkey, perhaps a keyotee implementation could be researched?

Offline Riverhead

wouldnt it be like 2fa?

Nope, it's just letting the user input a password in a more secure way.


Could also do on-screen keyboard. All modern OS's have this, though I like the idea of some sort of non-typed input. Perhaps a third party add-on.

Offline Method-X

  • Hero Member
  • *****
  • Posts: 1131
  • VIRAL
    • View Profile
    • Learn to code
  • BitShares: methodx
wouldnt it be like 2fa?

Nope, it's just letting the user input a password in a more secure way.

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
the only thing you need here is a HID USB QR-code scanner that typed in your passphrase so that you don't need to :-)

Offline serejandmyself

  • Sr. Member
  • ****
  • Posts: 358
    • View Profile
wouldnt it be like 2fa?
btsx - bitsharesrussia

Offline Method-X

  • Hero Member
  • *****
  • Posts: 1131
  • VIRAL
    • View Profile
    • Learn to code
  • BitShares: methodx
How about letting users log in using a QR code?

Like this:



Click the QR code, camera window pops up letting the user input the password via a QR code. It's optional so it won't put up any extra barriers for the average user. This way I can use a very secure password, not have to remember it and not worry about keyloggers. I know it's technically possible to log video but  this would at least make it somewhat harder for a hacker to go under the radar.
« Last Edit: September 13, 2014, 04:08:55 pm by MeTHoDx »