Could this stop a keyloging attack?

Very good point.

Another idea:

Generate a random ‘keyboard layout convertor’-image and corresponding ‘program’ to convert keystrokes correspondingly.
Maybe even change this image after each keystroke.
e.g. at first keystroke q is converted to #, w → l, e->., r …, t …, y … etc
at second keystroke q is converted to d, w ->7, etc
Not very quick, but if you don’t have to type your password often, it could be a workable solution.

Hi @Tom_Carlson

I visited this subject some time ago; the first post is followed by a second post that refines and corrects some initial ideas. The crux of the problem is finding a puzzle that is trivially solvable by the human brain, but near impossible to reverse engineer.

Maybe you can find some inspiration from this previous brainstrorm:

1 Like

How would this work??

x number rows of letters/numbers… They are placed in alphabetical order but at different random starting positions and are moving at varying random speeds. Each row is moving in alternating directions

You start at the top. As the letters go by the user can press a particular ‘hot key’ when their desired letter or number is in the target. then the second, then the third then the forth etc… Optionally, They may also type anything else, so that any keylogger just intercepts gibberish… The letters would not stop moving when the hotkey was pressed, so a camera wouldn’t work too well.

The program would discern the password, But a keylogger would need to log the rhythm of the hotkey presses and somehow synchronize it with the random starting positions of the letters and the random velocities… If this wasn’t complicated enough, the user could also specify which row they start at… So somebody with a camera wouldn’t know if their responses where to row 1, row 5 or row 10 …

Tom, the are ways of increasing the entropy, though I’m not suggesting this as a solution. I’m showing how data stored on SAFE could be used to create a set of credentials. Other systems could be created using this principle. You’ve pointed out the obvious flaw in my example, so… can we improve it?!

Why don’t use an account and an application in the SAFEnet to avoid keyloggers and other threats?

Might work as follows:
1 / We entered an account with the SAFE App Launcher that only have inside a single App. (We could call this App SAFEBridge)
2 / This application, for example, could have a system of One time password as two-factor authentication, token proprietary as RSASecurID or paper hardcopy with Transaction authentication number.
3 / This application, once we authentify, open our true account that will be secured. Now we can close the first account.

In this way an attacker with a keylogger could access the first account but not the second one.

Of course, if we are in a secure environment, we can enter to the second account on a regular basis.

2 Likes

What do you mean by [quote=“Tom_Carlson, post:3, topic:2934”]
Prior to login, there is just no information at all that’s available.
[/quote]
?

When you login to a standard web form, your credentials are submitted, validated then you’re logged in. It’s not like all your account info is accessible at the login page.

I’ve heard @dirvine say in a couple of videos that biometric login will eventually be available, but it wasn’t clear if that might replace the passcode field (different to the password field).

There is another option. Token Controlled Access is being developed by Cryptonaut420 on Github (cryptonaut420 · GitHub) collaboratively with Adam B Levine creator of Lets Talk Bitcoin. Token controlled access could be a way to securely access ones maidsafe data without worrying whether or not a computer has been compromised by key logging software. The token is as secure as the private key of a bitcoin address. Proof of ownership is what allows access. This is an idea worth looking at.
Since many will be using maidsafe as a way to monetize their content there will be a need for shared accounts, but shared in a way where access can be removed by the primary party, this could also be done with tokens. The name of this endeavor is called Tokenly and is quite powerful in the scope of possible applications in the online and physical world.

what about using bitid with trezor or similar to login?
It’s secure because seed is offline and you can use it even in a compromised PC.

Am I the only one who doesnt like biometrics devices to log in?

You are not the only one. I do not like them one bit. All the movies where people are dismembered in order to access a biometric lock reinforces this dislike.

4 Likes

The password should not be replaced by any one thing, but instead should be supplemented by additional layers of security. The goal should be the holy trinity of security.

Something you know.
Something you have.
Something you are.

That’s not true. That information is available, it’s just not available to you. It is, however, available to the webserver. The webserver has the ability to access the database prior to your successful login. That’s how it’s able to check your password. It’s also how it does two-factor authentication.

In maidsafe’s case, there is no server and there is no data that’s accessible by the maidsafe client, until you decrypt that 1st blob with your passcode. [EDIT: public data is accessible without logging in]. That makes us need to think a little differently, when it comes to what is possible prior to successful login.

Exactly, the data is still on the server though, and even if you could hack and query a secure webform, the server would still have to “send” the data to the client/browser to load the website files locally. As you may know, that’s where caching comes in, to make websites faster. That’s why I was asking for clarification.

Another improvement: sound commands.
Then not only the key strokes have to be logged and screen captured, but als sound recorded…
Sound commands like ‘type random character next’', ‘type next character of password’ or '‘type next character of password , using keyboard conversion 3 on screen’ etc…

I’ve been thinking, when combining keyboard, screen and sound interface is a realistic way to give a password, circomventing keylogger and screen capturing without sound recording, then it can be easier then described in my previous response, of course:

There are 95 ascii characters to chose from when typing a password.
Imagine a system password input app, showing a new keyboard convert layout image after each keystroke with a unique, random number between 0 and 99 assigned and displayed on this image for each of these 95 characters.
When the computer says (literally: a sound and not a screen interface) a random number between 0 and 99, add it to the number, assigned to the next character of the password, like it is shown on the keyboard convert layout image on the screen, and do modulo(100), meaning of course if result > 100, don’t type the first 1 of the result on the keyboard.
If the computer says e.g. ‘random 23’, type 23.

I didn’t know yet this one existed.

Keystroke Recognition from Wi-Fi Distortion

https://www.schneier.com/blog/archives/2016/08/using_wi-fi_sig.html

2 Likes