|
[ Virtual Password ]
|
Email
|
| Submitted on: |
10/13/2004 2:23:27 PM |
| By: |
D. Rijmenants
|
| Level: |
Beginner |
| User Rating: |
By 28 Users |
| Compatibility: |
VB 5.0, VB 6.0 |
| Views: |
27680 |
|
(About the author) |
|
|
|
This is a whole new concept for entering passwords. By using this system, it's impossible to steal your passwords by keylogging, capturing mouse events or positions, screencaptures or hooking those really unsafe textboxes with hidden but unsafe passwordchars (*). All these tricks cannot be used, and you can enter your password without fear of a compromise. The characters are 'entered' by detecting pauses in moving over a random character field. You'll need to try it, to understand it. The zip includes the Password Form and a Demo Form to explain te function. You're a bit paranoia about security? This is your code! Read all the comments in the code!
PS: Since I noticed that some people didn't understand quit the purpose when I used a textbox in the demo to visualize the result, so I decided to use another way to demonstrate it. Basically it goes like this: Don't use any more that window that pops up and asks you to enter a password in a textbox on the form (even those *****-boxes can be read by calling the window from outside your program!), NO, you use the frmEnter INSTEAD of a textbox. The program is NOT used to put a password in a textbox, but to pass the password directly to your sourcecode. All your comments and suggestions are most welcom :-) *** 10/19 made the square change after each char and use random validation times ***
|
 |
| |
|
 Download code
Note: Due to the size or complexity of this submission, the author has submitted it as a .zip file to shorten your download time. Afterdownloading it, you will need a program like Winzip to decompress it.Virus note:All files are scanned once-a-day by Planet Source Code for viruses, but new viruses come
out every day, so no prevention program can catch 100% of them. For your own safety, please:
- Re-scan downloaded files using your personal virus checker before using it.
- NEVER, EVER run compiled files (.exe's, .ocx's, .dll's etc.)--only run source code.
- Scan the source code with Minnow's Project Scanner
If you don't have a virus scanner, you can get one at many places on the net
including:McAfee.com
|
Terms of Agreement:
By using this code, you agree to the following terms...
- You may use
this code in your own programs (and may compile it into a program and distribute it in compiled format for languages that allow it) freely and with no charge.
- You MAY NOT redistribute this code (for example to a web site) without written permission from the original author. Failure to do so is a violation of copyright laws.
- You may link to this code from another website, but ONLY if it is not wrapped in a frame.
- You will abide by any additional copyright restrictions which the author may have placed in the code or code's description.
|
Other 28 submission(s) by this author
|
|
Report Bad Submission
|
Your Vote
|
| |
Other User Comments
|
 10/13/2004 10:18:14 PM: buhhmann
Very novel idea! I give you 5 globes man ;)
(If this comment was disrespectful, please report it.)
|
10/14/2004 2:27:32 AM: Light Templer
Yes! A cool new idea! I like it very much and give you 5 ***** for.
Regards - LiTe
(If this comment was disrespectful, please report it.)
|
10/14/2004 6:22:29 AM: CubeSolver
I really like your idea. Thanks for sharing. One drawback to this is your password is revealed to anyone staring over your shoulder.
(If this comment was disrespectful, please report it.)
|
10/14/2004 9:24:48 AM: Mike Douglas
Also, with scrambled character order, doesnt exactly promote use of long passwords.
(If this comment was disrespectful, please report it.)
|
10/14/2004 1:37:14 PM: D. Rijmenants
To CubeSolver, indeed, the program prevents stealing thrue the PC, but you still need a bit of physical privacy, although someone would have to peek very closely to see weither a char is validated and follow each move, a bit hard no? As for Mike, without scrambled alfabet one could capture the movements and translate the fixed coordinates into plain text. Unfortunally security mostly requires some effort. In average You easely enter 6 chars in 20 seconds (searching the alfabet included), presenting a pretty good password with 56,800,235,584 combinations. What to choose? Safe or Fast?
(If this comment was disrespectful, please report it.)
|
10/15/2004 4:50:13 AM: skansoft
Nice Idea. 5 stars.
(If this comment was disrespectful, please report it.)
|
10/15/2004 7:57:21 AM: Mr.Sekhar
GREAT IDEA
(If this comment was disrespectful, please report it.)
|
10/16/2004 8:44:03 AM: Karim
Excellent!
(If this comment was disrespectful, please report it.)
|
10/16/2004 12:30:07 PM: Chris Seelbach.
It is very easy to make something better, once you have been shown the way. It is MUCH more difficult, to create something new, which is what you have done here. Thank's for sharing. 5 marbles 4 U
(If this comment was disrespectful, please report it.)
|
10/16/2004 6:34:40 PM:
I *LOVE* it !!!
Congrats and thanks for sharing this :)
(If this comment was disrespectful, please report it.)
|
10/17/2004 4:50:30 AM: D. Rijmenants
Little Note: forgotten to actually validate a new code in the demo. Not really important for the demo, but now it acts like in reality.
(If this comment was disrespectful, please report it.)
|
10/19/2004 7:48:48 AM: Eric O''Sullivan
actually, the password can still be captured. If you wrote a program to monitor for your exe being run, which then monitored for the specific window with the password, you could then take a screenshot of the password window and start recording mouse movements at that point. The password could then be extracted via an external program. It's more difficult but far from impossible. I have to say though, it was a good idea and one I like. It just isn't fool-proof (yet) ;-) Keep up the good work!
(If this comment was disrespectful, please report it.)
|
10/19/2004 8:13:08 AM: D. Rijmenants
To Eric: Nothing is full proof, but this way is a lot harder to intercept as the usual weak password entering. But you gave a good tip, not knowing when a char is validated will prevent deducting the selected char from the mouse positions, so using an rnd timerange instead of 1 second for validation will render your system useless. Thanks for the idea.
(If this comment was disrespectful, please report it.)
|
10/19/2004 9:42:43 AM: Eric O''Sullivan
not really. Anything you do could theoretically be duplicated via a monitor program. You'd also have the problem of the user not knowing exactly how long to wait until the charcter was entered. If you displayed each character as it was entered, you'd defeat the whole purpose of it as the password would then be displayed (unless you displayed starts in a label for each character). And how would the user correct mistakes?
(If this comment was disrespectful, please report it.)
|
10/19/2004 10:10:25 AM: D. Rijmenants
I just completed a update. A time-frame is possible if after a rnd time, the pointer-view is changed for a certain time in witch the user can stay (and validate) or move. BUT, i decided to do another approach. If stopped on a char, after a rnd time (min 1 sec) the char is validated and a new scrambled square is generated. Each new square can be monitored, but since the times between each validation are different capturing the screen is a moment in time and not a clue to wich was pointed when the square actually changed, and the mouse coordinates change every time. Yes, there will be other cracking possibilities, but I'll make it as hard as possible. Please feed me with feedback and I'll try to keep them ahead...;-)
(If this comment was disrespectful, please report it.)
|
10/19/2004 11:27:30 AM: Eric O''Sullivan
well that would at least cause storage problems for a key/screenshot logger trying to crack the program. Not perfect but and imrovement :-) Perhaps creating/destroying/recreating (perhaps a new instance of the window after each letter is validate?) the letter window would also cause problems because a new hWnd would be generated. That'd be hell for a program trying to catch the mouse movements as they'd have to scan for the window each time (I'd also advice removing any caption from that window if you haven't already).
(If this comment was disrespectful, please report it.)
|
10/23/2004 5:29:41 PM: NaLe!T
it is a nice idea indeed but it gets a bit bored when u need a 2-3 minutes to enter a password
(If this comment was disrespectful, please report it.)
|
11/7/2004 8:18:56 PM:
The Best idea ! ! !
Continue sharing code like this...
You have five from me to
(If this comment was disrespectful, please report it.)
|
11/30/2004 10:32:36 AM:
if a spy application attachs to the program as a debuger it can watch everything the application does, it can get the random values, it can get the letter text as its generated (or image refrance or whatever) etc etc. but on a secure system where the app would run under administrater and other applications would not, its great.
(If this comment was disrespectful, please report it.)
|
12/5/2004 11:03:48 PM: ThomasJ
Brilliant young man! Absolutely love it! 5 Globes!
(If this comment was disrespectful, please report it.)
|
12/23/2004 3:34:41 AM: PluckyRobert
Why the heck windows offer system wide hooks and subclassing of keyboard?.Windows was written to support hackers or what?.
(If this comment was disrespectful, please report it.)
|
1/16/2005 2:32:57 AM: vampyr
just place the form at a random place, problem solved
(If this comment was disrespectful, please report it.)
|
1/16/2005 5:56:04 PM:
Sorry to say that although the idea is brilliant, it provides security mainly to a unsecure computer such as might be found in a library or internet cafe, it is WAY to burdonsome for a home PC user with no really big security problem.
Anything requiring super security, such as accessing top-secret diplomatic data, should only be done from a secure site, not the neighborhood library. And even then, not over the public internet.
Fun to look at, but I would never use it due to the hassle.
Mac
(If this comment was disrespectful, please report it.)
|
1/17/2005 7:36:17 AM:
Here is a suggestion for an improvement that would make the program more usable.
In the current Virtual Password program, there is a Ouija board that contains A-Z,0-9 randomly presented. Trying to enter a password is difficult because one has to scan the random list.
In another post here, I uploaded a demonstration of a technique whereby you could do the shuffling another way and thus keep the Ouija board in alphabetic order, making it much easier to use.
The demo is named "Password Scrambler" and is found at
http://www.planet-source-code.com/vb/scripts/showcode.asp?txtCodeId=58322&lngWId=1
It would make your overall input screen bigger and uglier, but more useful.
:-)
Mac
(If this comment was disrespectful, please report it.)
|
1/17/2005 12:23:49 PM: D. Rijmenants
Hi Mac, Checked out your submission Password Scrambler. Great idea!!!
(If this comment was disrespectful, please report it.)
|
1/23/2005 4:15:42 PM: Lucausada
Here is an idea, use a random timer for 1 to 6 seconds a pause. Then, when it is "validated", the character's forecolor flashes. just an idea.
(If this comment was disrespectful, please report it.)
|
2/2/2005 5:26:33 PM: Andrew Cooke
hmm, i feel that could breech security, however nice idea..
5 globes from me... very origional...
(If this comment was disrespectful, please report it.)
|
8/8/2005 10:36:42 PM: p01n7bl4nk
Hey! i always wondered what Fort Knocks looked like, thanks :D.
(If this comment was disrespectful, please report it.)
|
8/26/2005 12:12:25 AM: cyclopes
Very nice....cool. thanks for the brilliant idea
(If this comment was disrespectful, please report it.)
|
9/20/2005 10:06:20 PM: Option Explicit
Hi Dirk, excellent! I read an article that makes this project even more relevant:
http://msn-cnet.com.com/Keyboard+clicks+can+lead+to+security+hacks/2100-11395_3- 5865318.html?part=msn-cnet&subj=ns_3-5865318&tag=msn_home>1=6903 Sorry the url formatting is probably messed up but you should be able to plug it in!
Matt
(If this comment was disrespectful, please report it.)
|
3/31/2006 8:39:05 PM: Mike Douglas
The only thing that really makes this any more secure than any other way is that no one else is doing it. Hackers write code to break into the greatest amount of systems possible. The one thing that weakens systems like this is that the longer it takes per token/char to input a password, the shorter the passwords will tend to be. The passwords have to be stored somewhere and shorter passwords are easier to break. BTW- anyone know why code that hasnt even been commented on in 6 months is showing up in newsletter?
(If this comment was disrespectful, please report it.)
|
4/3/2006 3:13:05 AM: PsiBorg
If they give you too much grief, you can always upload it in the form of a game... I had tons of fun playing with it :-)
(If this comment was disrespectful, please report it.)
|
4/3/2006 11:18:39 AM: Driss HANIB
to prevent usefull screenshot of your keypad, you can randomly change the position of the letters after each hit of a key ??
(If this comment was disrespectful, please report it.)
|
4/3/2006 11:28:41 AM: Driss HANIB
sorry my post was send before testing your prog.
Very good, for me..
Driss
(If this comment was disrespectful, please report it.)
|
4/8/2006 10:17:24 PM: Paul Turcksin
Brillant out of the box thinking!
(If this comment was disrespectful, please report it.)
|
5/2/2006 8:33:20 PM: sub
Excellent work. This is exactly what I was looking for. I was able to write my own code slightly different from this. No timers, non repeating randomized characters 33 to 255 (it *IS* very possible, for anyone believing otherwise) in a character sheet.
http://www.geocities.com/zdejavuz/account.jpg
for a screenshot of it in action. The window is resizable. i'm a bit concerned about changing my forecolor and borderstyle's though...
(If this comment was disrespectful, please report it.)
|
1/1/2007 8:42:11 AM: Mr.Intermediate
tnx for the code
(If this comment was disrespectful, please report it.)
|
3/9/2007 8:10:06 PM: yrezsan
Very nice....
(If this comment was disrespectful, please report it.)
|
6/3/2007 12:39:01 PM: Thomas Greenwood
How about a dll hook on the vb runtime string functions. You transfer both the characters between strings and the whole password on validation. This could even be used in conjunction with OCR to narrow down the possible strings. (i.e. you scramble the alfabet after transferring the characters to the strCode.)
Far fetched? Is it though?
Excellent idea and code.
(If this comment was disrespectful, please report it.)
|
1/5/2010 12:16:28 PM: alex
is there any way that you can send me codes on how to capture a time in/time out.. we are creating a program in school and having a hard time getting the codes.. thank you..
(If this comment was disrespectful, please report it.)
|
Add Your Feedback
Your feedback will be posted below and an email sent to
the author. Please remember that the author was kind enough to
share this with you, so any criticisms must be stated politely, or they
will be deleted. (For feedback not related to this particular code, please
click here instead.)
To post feedback, first please login.
|
