Yes, I imagine they are generated passwords, but many (if not most) use typical pass-phrases for stuff, so it could be either way - garbage or a real password.
But the safest bet would be to use a fake password. Perhaps a fake generated password.
I was wondering, do they have "mouse loggers" I mean you could type some gibberish with bits of your password laced in it and selectively delete them from a text field to provide the password, aside from the mind-f*** and the time I think that would be difficult to parse, if you use the mouse to place the cursor that is.
They can simply log the contents of the input box at the moment it is submitted. That's not very difficult to do and beats all your "mouse" tricks.
That would beat it, of course. But I don't see how you could do it (admittedly, I don't know much about this sort of thing). If the connection is unsecured, then sure, it could be done -- especially if the site was stupid enough to use GET. But what if it was secured, as sites requiring passwords you care about usually are?
dwk
Seek and ye shall find. quaere et invenies.
"Simplicity does not precede complexity, but follows it." -- Alan Perlis
"Testing can only prove the presence of bugs, not their absence." -- Edsger Dijkstra
"The only real mistake is the one from which we learn nothing." -- John Powell
Other boards: DaniWeb, TPS
Unofficial Wiki FAQ: cpwiki.sf.net
My website: http://dwks.theprogrammingsite.com/
Projects: codeform, xuni, atlantis, nort, etc.
GET or POST wouldn't make much difference, since both can be sniffed. GET imbues the name/value pairs on the URL, whereas POST puts them in the HTTP request body. There are a few other minor differences but not significant for this discussion, having more to do with how broswer makers implement both methods. What is relevant however is that POST is actually as easy to get as GET (no pun intended). Many web developer tools include the ability to read POST data on their browsers (Firefox has a few addons that allow just this, for instance, as does the IE Developer Toolbar, IIRC).
In any case, I suspect any keylogger smart enough to just log the contents of an input during submission (as opposed to logging keystrokes) can only do so by sniffing the HTTP request header an body just prior to be sent. This is its weakness, because...
... if the transmission is encrypted, any name/value pairs are encrypted before being added to the HTTP request. Consequently sniffing the message header or body on the user machine with such type of keylogger, or do it with a packet sniffer while on transit will have the exact same result; both will meet encrypted, and consequently useless, data.
Considering the really interesting data travels encrypted... I would wager a keylogger and mouseloger are still more powerful tools in this case.
Last edited by Mario F.; 07-02-2008 at 11:36 AM.
Originally Posted by brewbuck:
Reimplementing a large system in another language to get a 25% performance boost is nonsense. It would be cheaper to just get a computer which is 25% faster.
Of course, the browser itself could simply be modified to log all data sent and received.
All the buzzt!
CornedBee
"There is not now, nor has there ever been, nor will there ever be, any programming language in which it is the least bit difficult to write bad code."
- Flon's Law
Or a security hole in the browser could be exploited, which might be more likely. (Or not, given the rather paranoid and modified systems a lot of public internet computers seem to run.)
Something I forgot to mention earlier: if you do my dubious "trick" multiple times, you should probably type the same garbage characters each time. Given "pass3434word", "pass111word", and "passmkhword", it wouldn't be too hard to figure it out.
dwk
Seek and ye shall find. quaere et invenies.
"Simplicity does not precede complexity, but follows it." -- Alan Perlis
"Testing can only prove the presence of bugs, not their absence." -- Edsger Dijkstra
"The only real mistake is the one from which we learn nothing." -- John Powell
Other boards: DaniWeb, TPS
Unofficial Wiki FAQ: cpwiki.sf.net
My website: http://dwks.theprogrammingsite.com/
Projects: codeform, xuni, atlantis, nort, etc.
BIOS passwords can be disabled Why do you need a pen drive? Carry a live CD and use that. I use a separate email id which i use to chat or send mails from public computers.they don't allow & have a BIOS password.
Code:>+++++++++[<++++++++>-]<.>+++++++[<++++>-]<+.+++++++..+++.[-]>++++++++[<++++>-] <.>+++++++++++[<++++++++>-]<-.--------.+++.------.--------.[-]>++++++++[<++++>- ]<+.[-]++++++++++.