At 02:09 PM 10/18/2002 -0500, Jim Davidson wrote:
...Next, there is the issue of entering your password. Obviously, if you have a hidden keystroke logger on your computer about which you know nothing, it does not matter if the connection to e-gold.com is secure. You still have your password logged. A bad thing.
Correct.
Yes, and on that point I recommend a two-part password. You type in the first part from memory using the keyboard. You then open up a notepad file you have squirreled away somewhere, double-click a particular chunk of text in that file that only you know about, type Ctrl-C to copy it to the clipboard, and then type Ctrl-V in the e-gold password field. This pastes in the second part of the password.Your typical keystroke logger can't do two things. First, it cannot do anything about data in the clipboard (Windows and MacIntosh products both use a clipboard for temporary storage of text or other data). If you paste the clipboard into the field for password, what appears there is not keystroked - the keystroke might be ctrl+V but that's hardly revealing. If nothing is typed, nothing is keystroke logged.
That way for somebody to Trojan your password, he would have to:
1. Install a keystroke logger on your machine to grab the first part of the password that you type from memory.
2. Somehow compromise your system so he can browse through the files on your hard drive.
3. Somehow figure out which strange notepad file on your hard drive contains the second part of your password.
4. Somehow figure out which exact chunk of text in that file is in fact the second part of your password.
[OR, he could find some way to create a "clipboard Trojan." I don't know if that's ever been done. Besides, he would need to install both the keyboard Trojan and the hypothetical clipboard Trojan on your machine.]
That all sounds like a very tough job to me. Even if the hacker logged the first part of your password and snagged the file itself, it would still be difficult for him to check every possible double-clickable chunk of text in that file as the second part of the password. The Turing number on the login screen would make this extraordinarily difficult to automate.
Plus, every month or so you could choose a different chunk to use as part two of your password. There's nothing new to remember other than the position in the file.
Again, this sounds pretty tough to crack in my humble opinion. For more expert advice, I defer to Bryan Allerdice, whose comments may be worthy of a tip.
Regards,
Patrick Chkoreff
http://fexl.2cw.org
You can also use the virtual keyboard, but that may be subject to monitoring via TEMPEST or van Eck devices. Regards, Jim http://cambist.net/
--- You are currently subscribed to e-gold-list as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.
