No announcement yet.

Spyware proof password management program

  • Filter
  • Time
  • Show
Clear All
new posts

    Spyware proof password management program

    I'm trying to develop a program for reading passwords from an encrypted file and then entering those passwords into form fields on a web page (e.g., the web pages for online banking).

    I know there are commercial programs available, but I want to write my own program for the following reasons:

    - I want full control to integrate this program into other macro/automation software on my PC

    - almost all of the commercial programs are oriented at securing information stored on the PC and do not have security when the stored information is passed from the password program to the target window.

    - my program will offer better security than a widely available program simply because of obscurity. The best, most widely used program has thousands of hackers studying its algorithms and searching for vulnerabilities to exploit. Even if my program has bigger vulnerabilities than the commercial programs, I'll still be more secure because my solution will be unique.

    I need my program to deal the following security issues when passing the data to the target window:

    - if the password program out pulses keystrokes to enter the password into the form field in the browser window, then securities jeopardized if trojan key logger software has registered to capture keystrokes.

    - The alternative is for the password program to load the password into the clipboard and then paste the clipboard contents into the form field. This is also susceptible to spyware that tracks the clipboard.

    Here's my approach, and hopefully someone in the form can fill in the gaps in my technical knowledge in how to program this.

    1) Have the password program outpulse half the password as keystrokes and the other half via the clipboard.

    2) it's easy with the new power basic 9 command to load the text string into the clipboard. How do I paste the clipboard into the target application? Of course I can have the program outpulse the control v key sequence, but the keylogging software would see that and it would make obvious that the clipboard data was being invoked. Is there some way that my program can issue a clipboard command to paste the code for contents into the active window?

    3) any registered "Clipboard viewer" (legitimate software or spy ware) will receive from windows a WM_DRAWCLIPBOARD message whenever the content of the clipboard changes. Is there any way that my program can tell windows to disable notifying the clipboard viewer chain that the clipboard has changed? That way, my program could disable the clipboard notifications, then load and paste the password in the clipboard, then clear the clipboard, and then reenable the clipboard notifications. In so doing, the spyware would not know if there is new data in the clipboard for it to capture unless it is frequently polling for clipboard data regardless of windows notification.

    What I want to build is available in the free program KeePass 2.x (Two-Channel Auto-Type Obfuscation. For this, an invisible window is created and added to the top of the clipboard event handler chain. This window throws away all clipboard change messages it receives instead of passing them down the chain.)

    But I want to create my own software so that I can integrate it with my existing menus and automation software. But I don't have the expertise to write code from scratch to interrupt the clipboard event handler chain, so hopefully someone has some examples written.

    One word of caution. Not all programs will accept passwords pasted from the clipboard. For example Lotus Notes does not and neither does the Windows XP Ctrl-Alt-Del login screen and I am sure many other programs also make this restriction. If this is only for your personal use, this may not be a big problem for you, but any commercial app needs to be able to handle what it may run it to.
    "I haven't lost my mind... its backed up on tape... I think??" :D