[thelist] High Security Password

Matt Warden mwarden at gmail.com
Thu Dec 6 09:50:55 CST 2007


On 12/6/07, Fred Jones <fredthejonester at gmail.com> wrote:
>  > Erm, if someone has installed a keylogger on your machine, then what
> you send back to their server, is still whatever your PIN/password is.
>
> Perhaps I wasn't clear. My PIN is 123 let's say. When I go to the
> homepage today 1 on the graphical keypad is A and 2 is B and 3 is C so I
> login with password ABC. But tomorrow 1 is labeled with a Q and 2 Z and
> 3 F so I login today with password QZF. Even if you KNOW how I login
> this time, it won't help because the next time I login, the password is
> different--it's different letters each time I login.

Yes, this defeats the keylogger attack.

ING has had this for a while. I have wondered whether it is still
possible to get the contents of that text box, because presumably the
content of the box is your pin and not the letter-translated value.

However, it seems odd that they wouldn't go the next step and store
the translation algorithm in session and have the keypad output the
translated value of your PIN into the box (which would then be
translated back to your numeric PIN on the server).

-- 
Matt Warden
Cincinnati, OH, USA
http://mattwarden.com


This email proudly and graciously contributes to entropy.



More information about the thelist mailing list