On Monday 20 June 2005 12:52 am, Brett Lymn wrote: > On Mon, Jun 20, 2005 at 12:06:02AM -0500, Dave Feustel wrote: > > > > So far I see no defense against this spying > > technique of password capture. > > > > Regardless of whether they are built in or not - one possible way to > get around keyloggers snatching passwords is to present an on screen > keypad that changes the locations of the numbers/letters (to prevent a > replay attack working), pick out a PIN or password on the screen, > maybe even combining it with a typed password.
What you describe is what I was thinking of too. One-time passwords or challenge-response would work too, since they cannot be reused. My brother used to work for IDA in Princeton, and he had a little calculator-type device that would allow him to compute the response to a login challenge. That allowed him to login and read his mail from my windows pc without compromising his login credentials. But static passwords are dead with the advent of these builtin keyloggers. > This will fall to a determined attack (video surveillance) but just > about anything would.
