Better protection against keyloggers and screen capture

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantieLP, robyn, JoeSiegrist

Better protection against keyloggers and screen capture

Postby rutherfordpaul » Sat Sep 26, 2009 3:12 am

There have been two, scary articles in Windows Secrets relating to key loggers and their ilk.

See
http://windowssecrets.com/2009/09/10

and
http://windowssecrets.com/2009/09/24

Is ther any way "lastpass" could be enhanced to emulate automatically the "revised Vesik method" or alternatively Two-Channel Auto-Type Obfuscation (see the KeyPass website & search for "keylogger")?
rutherfordpaul
 
Posts: 4
Joined: Sat Sep 26, 2009 3:03 am

Re: Better protection against keyloggers and screen capture

Postby JoeSiegrist » Sat Sep 26, 2009 9:28 am

rutherfordpaul Wrote:Is ther any way "lastpass" could be enhanced to emulate automatically the "revised Vesik method" or alternatively Two-Channel Auto-Type Obfuscation (see the KeyPass website & search for "keylogger")?


We do better than that -- we don't use the clipboard at all unless you go to 'copy Username / copy password' -- our standard filling method is straight through the DOM which completely evades key logging. You may want to still use the screen keyboard + some typed characters for your LastPass Master Password.
JoeSiegrist
 
Posts: 4185
Joined: Wed Aug 20, 2008 10:40 am

Re: Better protection against keyloggers and screen capture

Postby rutherfordpaul » Sat Sep 26, 2009 10:53 am

Hi, Joe

Thanks for the very prompt reply.

Although I don't pretend to understand how DOM completely evades keyloggers your's is a very reassuring answer.

One question, though, about the "last pass" on screen keyboard.

While I think I understand why you advise mixing physical and on-screen keyboard input does the "last pass" on screen keyboard send its "keystrokes" in the same manner as Windows On Screen Keyboard which (I understand from Windows Secrets) does sends the input in a keylogger readable form?

Cordially - Paul
rutherfordpaul
 
Posts: 4
Joined: Sat Sep 26, 2009 3:03 am

Re: Better protection against keyloggers and screen capture

Postby JoeSiegrist » Sun Sep 27, 2009 11:15 am

rutherfordpaul Wrote:While I think I understand why you advise mixing physical and on-screen keyboard input does the "last pass" on screen keyboard send its "keystrokes" in the same manner as Windows On Screen Keyboard which (I understand from Windows Secrets) does sends the input in a keylogger readable form?


It shouldn't (though I haven't tested this) -- it sends it via JavaScript through the 'Document Object Model' -- basically writes it directly into the page in question.
JoeSiegrist
 
Posts: 4185
Joined: Wed Aug 20, 2008 10:40 am

Re: Better protection against keyloggers and screen capture

Postby rutherfordpaul » Mon Sep 28, 2009 6:41 pm

Hi, Joe

This sounds like LastPass is what we've all been looking for!

So, do you mind if I summarise our exchange and share it with "Windows Secrets"?

Cordially - Paul
rutherfordpaul
 
Posts: 4
Joined: Sat Sep 26, 2009 3:03 am

Re: Better protection against keyloggers and screen capture

Postby JoeSiegrist » Tue Sep 29, 2009 9:45 am

rutherfordpaul Wrote:This sounds like LastPass is what we've all been looking for!

So, do you mind if I summarise our exchange and share it with "Windows Secrets"?


Please do!
JoeSiegrist
 
Posts: 4185
Joined: Wed Aug 20, 2008 10:40 am

Re: Better protection against keyloggers and screen capture

Postby rutherfordpaul » Tue Sep 29, 2009 10:35 am

Just to keep you in the loop, this is what I sent ..

QUOTE
There have been two, scary articles in Windows Secrets relating to key loggers and their ilk.

See
http://windowssecrets.com/2009/09/10

and
http://windowssecrets.com/2009/09/24

Is there any way "lastpass" could be enhanced to emulate automatically the "revised Vesik method" or alternatively Two-Channel Auto-Type Obfuscation (see the KeyPass website & search for "keylogger")?

A. We do better than that -- we don't use the clipboard at all unless you go to 'copy Username / copy password' -- our standard filling method is straight through the DOM which completely evades key logging.

You may want to still use the screen keyboard + some typed characters for your LastPass Master Password.

Q. One further question about the "last pass" on-screen keyboard. Does the "Last Pass" on screen keyboard send its "keystrokes" in the same manner as Windows On Screen Keyboard which (I understand from Windows Secrets) does sends the input in a key logger readable form?

A. It shouldn't (though I haven't tested this) -- it sends it via JavaScript through the 'Document Object Model' -- basically writes it directly into the page in question.

Q. Do you mind if I summarise our exchange and share it with "Windows Secrets"?

A. Please do!
UNQUOTE

Concluding, thanks for the re-assurances & prompt replies.

Cordially - Paul
rutherfordpaul
 
Posts: 4
Joined: Sat Sep 26, 2009 3:03 am


Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 24 guests