We did timed password entry in my crypto-course at the university. When my partner had finished training, I actually managed to get it right on the first try, just from having heard his training inputs. My arguments here are that a) a timed sequence may contain a lot less bits that suspected and b) acoustic monitoring can defeat it easily. As to keyloggers, AFAIK, there are those with milisecond-resolution timestamps. I think the only solutiopn is some interaction on the screen and you some sort of challenge-response were the keylogger does not get the challenge. Can be defeated as well, but not by, e.g., a hadrware keylogger in the keyboard or keyboard cable. And generates a lot more data to be stored. Arno On Thu, Aug 30, 2007 at 12:55:11PM +0930, Roscoe wrote: > I quite like gpggrid's approach to defeating key loggers: > http://tinfoilhat.shmoo.com/source/gpggrid.c > [I'd like it more if it were done so I didn't have to hit 3 keys to > enter 1 character.] > > > Regarding timed passwords: > I don't think this is the best way to approach defeating key loggers. > You are relying on the key logger not storing information that is none > the less still available to it. It might work for now, but what about > the next generation of key loggers? Seems like it would be a very easy > feature to add. > > > On 8/30/07, Klaus-J. Wolf <yanestra@xxxxxxxxxx> wrote: > > Hi, > > > > I have written a small tool which allows to enter timed passwords. Timed > > passwords might be useful when a key logger is present (like the > > Bundestrojaner recently discussed in Germany). AFAIK there are no key loggers > > that are able to log the key timings. > > > > I've written that small piece of code for the curses library, which, after > > all, might not be a perfect solution. (It's simply the easiest one.) > > > > It could be possible to link the code with cryptsetup-luks, or, it can be used > > separately by a frontend script. > > > > I appears to work well, but requires some learning efforts. Only relative > > timings are used, so you can still enter your passphrase even if can't use > > all fingers. > > > > What do you think? > > > > Regards > > k.j. > > > > --------------------------------------------------------------------- > > dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ > > To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx > > For additional commands, e-mail: dm-crypt-help@xxxxxxxx > > > > > > --------------------------------------------------------------------- > dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ > To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx > For additional commands, e-mail: dm-crypt-help@xxxxxxxx > -- Arno Wagner, Dipl. Inform., CISSP --- CSG, ETH Zurich, wagner@xxxxxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
