Securing passwords typed in text boxes from being sniffed?

[rpk2006]

I have downloaded a utility called "Password Sniffer"
which tracks the password being typed om forms.
Please suggest me ways of preventing these type of
utilities from tracking passwords being typed in
my Visual Basic Text Boxes.

For example, some sites like HushMail have secure forms.

Any Idea.
There is always a new solution for the same problem.

Anonymous

 

[Grenage]

Is the program a key-logger (records everything you type) or specifically passwords ?

There is no real way I know of to stop loggers client side, other than to not allow them to be installed.

 

[TheVampire]

It may be possible to have your program insert random length strings of random characters into the keyboard buffer using API calls. This might feed garbage into the sniffer program. Please look at the thread you started in the VB forum for a more detailed explaination.

Without the actual sniffer program, I would have no way of testing this though.

Robert

 

[pansophic]

If you can run the sniffer program on the same windows computer, you can enumerate all of the forms, find a handle to the form in question, find a handle to the text box in question, and then query through the Win32API for the text contained in the text box. You can do this even if the you are echoing password characters (rather than the actual text).

If they are running a keyboard sniffer (also through the Win32API) then you are SOL.

You could trigger on the text changed event, and then alter the data contained in the text box based on some simple encryption algorithm. Since the data is never displayed in the text box, it doesn't matter that you have "encrypted" the data in the text box. Depending on the sophistication of your attacker, simple XOR encryption may be enough. If not, you can use the CryptoAPI to encrypt the password with a real encryption algorithm based on some "secret" key.
pansophic