[thelist] Keylogging and pin entry fields (and an attempt at a clean solution)

[Kowalkowski, Lee (ASPIRE)]

> Christian Heilmann wrote:
> 
> I came up with a DOM solution for the issue and would appreciate some
> feedback and testing of it. 

Looks rather nice.  There's no cancel, and if I have repeating digits in my
pin e.g. 1223, I have to go slowly when doing the double 2.

Often when people use pin pads in the non-virtual world, they shield with
their hand & body so no-one can see what numbers they're pressing.  Yours
has whopping rollovers, and prolonged highlight of the last key pressed, I
think that's quite amusing.  Shoulder-surfers are still a pretty tangible
threat.

> I really wonder if there is a non-JavaScript dependent solution to
> this problem. Well, 4 dropdowns with 0 to 9 would be one, but that is
> as trackable, isn't it?

Well, you *could* just do the exact same UI, but use the server as the
controller instead of JavaScript.  Perhaps a touch heavyweight when embedded
into a production page.

The dropdowns could possibly be just as trackable depending on how the user
used them, it would require more analysis of the key stokes to figure out
the pin if the user only used tab and the arrow keys.  It would be easier to
monitor the browser's requests for the PIN in that case, but then, the
password field is equally exposed.

- LK


===========================================================
Our e-mail domain has now changed from iraspire.com to hmrcaspire.com. Please update your address books.
===========================================================