Password Keystroke Snarfer Programs

[Bill Stewart <stewarts@ix.netcom.com>]

Several articles on the PGP-users mailing list have discussed
keystroke snarfers that unexpectedly grab and save keystrokes,
including passwords, severely weakening any benefits from encryption.
taoboy <taoboy@sprynet.com> mentioned Mac programs FileGuard and 
HiddenOasis and the SpellCatcher spell-check program's Ghostwriter feature,
which he'd noticed had stuck his password into a disk file;
he suggests that Windows machines probably have similar surprises.

From: patm@connix.com (Pat McCotter)
> Which is why, every once in a while, I do a search of my entire disk for my
> PGP pass phrase and various other passwords I use. [....] I do this with
> Norton DiskEditor.  I have to upgrade to do this on my Win95 machine which I
> understand is much worse than Win3.x in this area.

Be careful - PGP goes to a lot of effort to overwrite your passphrase
when it's done using it; Norton or grep or other disk-crawlers are unlikely
to do so, because that sort of paranoia's not part of their job,
and simply typing in a command in a command window will often get it saved
in a command history file.  So your search for the passphrase on disk makes it
_more_ likely that some program will stash it on your disk...
You could work around this by using a complex passphrase and adding a 
distinctive word to the end, e.g. "mumblefrotz foobaroid zarquon FINDTHIS",
which doesn't become much less secure if the FINDTHIS gets left on the disk
from your "grepemall FINDTHIS c:" command.

#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
#     (If this is a mailing list, please Cc: me on replies.  Thanks.)