Silk Road forums
Discussion => Security => Topic started by: PaulMuadDib on August 30, 2012, 09:30 am
-
Is copying and pasting my pass codes for the SR login from a notepad within my encrypted drive a security risk?....should I be hand typing them in?
-
More people should ask basic questions like this one.
The answer is basically that copy pasting a password is a whole lot safer than typing them in. Some people who find mysterious withdrawals from their SR accounts probably were victims of a keylogger.
A keylogger is a piece of software, which as the name suggests, records your key presses and then emails them to a hacker. Most trojan viruses carry things like keyloggers as the primary payload. I know this because some of my associates write them Iseensomeshit.jpg
Some keyloggers can monitor the clipboard, take screenshots and even use OCR on any characters you interact with (as in moving the mouse over them for example) so they can obtain passwords. Some of them are very clever pieces of software and some special types of keyloggers are impossible to detect (usually relies on knowing your physical location though, in which case you're already stuffed anyway).
However there are a couple of ideas you can use to reduce the likelihood of this working.
1. Do what you've done. Store your password into some encrypted place. Copy paste when needed.
2. Use a OTP. A one time password is the best defense against keylogger malware there is. If SR was able to use OTP somehow that would be cool. This is what the Yubikeys are about, but I don't know DPR's point of view on the matter. There's a risk if everybody goes out and obtains Yubikeys that it would become an insecure security mechanism you see. 2 factor authentication (something you know e.g. your username, and something you have e.g. a yubikey that generates these one time passwords).
3. Use a Unicode password. This won't necessarily work for everything, but some naive keyloggers only use ASCII so obtaining your password would be useless.
4. When you open the file with the password in it, copy paste the password from different parts of a couple of paragraphs, and type a bunch of random bullshit characters inbetween parts of the password as well as copying irrelevant characters (but not pasting these). If a keylogger log file is not easily human readable you'd deter most people without OCD (bear in mind for programmers it's a 'feature', not a bug, lol).
5. Manually change your password upon every single login (you'd have a big list of strong randomly generated passwords on that encrypted drive).
What you're doing right now is the easiest and a quite effective method. While it can be improved by doing points 3, 4, the moment a keylogger starts interacting with the system e.g. trying to read the clipboard, the more likely it becomes that your AV or OS will pick up the pattern of a keylogger using rules or heuristics.
Of course, the very best way to prevent these problems is to use a secure operating system, like any Linux distribution. 99.99% of all malware is almost certainly written by programmers working on Linux machines who target Windows machines. I think even when most malware authors have an opportunity/incentive to write Linux malware, they don't, and would simply report the exploit to the Linux kernal people. Why? "not shitting where you eat" philosophy, the respect and kudos you get from the other programmers for discovering an exploit in Linux (seriously does lead to financial gains), and the not so inconsiderable fact Linux users look down upon Windows users from a lofty height and Western Windows users have most of the money used in ecommerce...
However if we're talking about the Linux software used on mobile devices then all bets are off, that market will be too lucrative to resist.
tldr; Move to Linux, put password files onto an encrypted thumb drive and copy paste from there. Consider changing your passwords with each login or as frequently as you can.
-
Why not use KeePass?
-
Why not use KeePass?
Shuuussssssh! Secret sauce! ;-)
Yeah Paul, this works too.