[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Password Keystroke Snarfer Programs



Several articles on the PGP-users mailing list have discussed
keystroke snarfers that unexpectedly grab and save keystrokes,
including passwords, severely weakening any benefits from encryption.
taoboy <[email protected]> mentioned Mac programs FileGuard and 
HiddenOasis and the SpellCatcher spell-check program's Ghostwriter feature,
which he'd noticed had stuck his password into a disk file;
he suggests that Windows machines probably have similar surprises.

From: [email protected] (Pat McCotter)
> Which is why, every once in a while, I do a search of my entire disk for my
> PGP pass phrase and various other passwords I use. [....] I do this with
> Norton DiskEditor.  I have to upgrade to do this on my Win95 machine which I
> understand is much worse than Win3.x in this area.

Be careful - PGP goes to a lot of effort to overwrite your passphrase
when it's done using it; Norton or grep or other disk-crawlers are unlikely
to do so, because that sort of paranoia's not part of their job,
and simply typing in a command in a command window will often get it saved
in a command history file.  So your search for the passphrase on disk makes it
_more_ likely that some program will stash it on your disk...
You could work around this by using a complex passphrase and adding a 
distinctive word to the end, e.g. "mumblefrotz foobaroid zarquon FINDTHIS",
which doesn't become much less secure if the FINDTHIS gets left on the disk
from your "grepemall FINDTHIS c:" command.

#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 [email protected]
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
#     (If this is a mailing list, please Cc: me on replies.  Thanks.)