Yoy G0 wrote:
Stop using windows and don't login as root.

You essentially can't trust another machine. Hell, you can't really
trust your own machine if you stop to think about it...

Tom

tomstdenis@gmail.com writes:

This won't help.

You must not allow any physical access to your machine to anyone, and
you must not allow any untrusted executable code of any kind to execute
on your machine (including Javascript, macros, Java, etc.). It's a tall
order and requires a certain degree of paranoia.

--
Transpose gmail and mxsmanic in my e-mail address to reach me directly.

tomstdenis@gmail.com wrote:

or use a token with a protected authentication path (eg. smartcard &
finread) for logging on, decryption, etc.

quite a neat thing I've seen was a "self-made" (self-programmed)
mouse-keyboard so that you can "type in" your password/paraphrase via
mouse so that a keyboard-hook doesn't work...


wfg,
Taliesin

One-time passwords, e.g.

http://www.cl.cam.ac.uk/~mgk25/otpw.html

Markus

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Taliesin schreef:
Sarah Dean OTFE comparison? <fires up google>
<http://www.sdean12.org/SecureTrayUtil.htm>
Thomas
- --
"You can't be safer, can't be more secure than with a breast in each
palm, that's the way I was born and that's the way I want to die" -
Sugarcubes, Mama, 1988
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQB5AwUBQs/iUwEP2l8iXKAJAQJIUAMgoAFVNya1Dpnf3PLZu47EJEVOwpUjb e3V
Y923HyZ/R+NQNDzaDIy5tFjRFCBA6j7CFlJNCc8bBIS2OL3v9CRuexCSeT jbjcve
qkfO3gMaxs6BP0X3cl7lAIXKAi/Q8fuZk2Nikg==
=el7a
-----END PGP SIGNATURE-----

Taliesin is on the right track. You must not type in your password at
all. Let a program inject the password (internally) - there is no
simulation of keyboard typing anywhere otherwise the keyboard logger
will capture your keystrokes. That program may possible be an injected
DLL (in the windoze world).

In response to what <ipguardian@hotmail.com> posted in
news:1121511806.553075.153150@g47g2000cwa.googlegr oups.com:

There are lots of programs for that purpose, some free (e.g. Password Safe)
and some pay-for (e.g. Personal Info Keeper).

I never type passwords in anywhere, always drag/drop or cut/paste.

--
Joe Soap.
JUNK is stuff that you keep for 20 years,
then throw away a week before you need it.

Joe Soap wrote:

Good start but two potential flaws
1) keyboard logger still has a chance of capturing your screen (of your
original password document because it is in clear text)
2) someone may overlook your shoulder.

For more secure needs, search for password manager tools instead.

In response to what <ipguardian@hotmail.com> posted in
news:1121992402.451432.88260@g49g2000cwa.googlegro ups.com:


Thanks, but I don't have a problem. Save your advice for someone who does.


--
Joe Soap.
JUNK is stuff that you keep for 20 years,
then throw away a week before you need it.

ipguardian@hotmail.com wrote:
time you set up specific site) and stores password using blowfish on
local machine, and requires a separate password to access the "safe".
Security wise I have not tried to crack it, but for me it is a handy
utility for storing login passwords for multiple sites. It has a
reasonable random password generator (though only alpha numeric) for new
sites. The password generator does not do special or alt chats, but the
safe will support manual entry of those char types. The random password
Generator will support user define password lengths which is useful for
long password strings irrespective of the char type restrictions. One
may add or modify a couple of the random generated chars with alt or
special chars to further enhance the security of the chosen password,
users call. Bear in mind blowfish isn't bulletproof,but meets casual
encryption requirements for my local system.

Winged

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Another way to protect passwords from people looking over your
shoulder is to use biometrics. I use Microsoft fingerprint reader
and never have to type in passwords. Pretty cheap at $35.

RangerFrank

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com
Comment: Encrypted Classified Document - Recipients Eyes Only

iQA/AwUBQuD5o50rlc6Kk7oXEQK+wgCgzt0bhKcP0CYpxLAFHX18f9 5WRp0AoIdZ
6Typ+77k4IYPYtb+HgLOU8PJ
=St5C
-----END PGP SIGNATURE-----

On a sunny day (22 Jul 2005 06:51:17 -0700) it happened "RangerFrank"
<airbornerangerfrank@gmail.com> wrote in
<1122040277.472731.38180@g14g2000cwa.googlegroups. com>:

http://www.microsoft.com/hardware/mo...ngerprint.mspx
Says:
The Fingerprint Reader should not be used for protecting sensitive data
such as financial information or for accessing corporate networks.
We continue to recommend that you use a strong password for these types of
activities.

Wonder if there is a Linux driver?

RangerFrank wrote:
recorded the prints and have rerecorded them, I have a difficult time
opening device with my print but she just walks on in...Boy I hope she
never kills anyone...

Winged

The Microsoft Fingerprint Reader is primarily used for logging onto
windows, accessing Internet sites that require a User Name and
Password. The disclaimer with the Fingerprint Reader should not be
used with financial sites, etc. is for Microsoft's protection from
liability. The Fingerprint Reader is very convenient and easy to use.
PGP is used to protect E-Mail messages, attachments, and files stored
on the computer.

On a sunny day (23 Jul 2005 08:21:31 -0700) it happened "RangerFrank"
<airbornerangerfrank@gmail.com> wrote in
<1122132091.403881.95640@z14g2000cwz.googlegroups. com>:

I think one trick was to breathe on the sensor after somebody used it,
that made the pattern 're-appear'.
Have you had any success with things like that?
And making a fake fingerprint with some silicone kit?
Is there a Linux driver?

Hi Jan,

I guess that is a remote possiblity to counterfit my fingerprint. I'm
not concerned, because my computer is in a safe enviorment.
No Linux driver on my computer.

RangerFrank

Jan Panteltje <pNaonStpealmtje@yahoo.com> wrote in
news:1122139496.cc8a4cd8660fd788bc69c9d858757b79@t eranews:



It is generally trivial to "capture" soneone else's fingerprint, especially
if one shares some environment with him (home, work, social, etc.). For
instance, offer him a glass of wine to taste, or even just take his coffee
cup - the imaginative will readily think of dozens of additional methods.
BTW cyanoacrylate (crazy glue) can be used to lift even very faint prints.

Most cheap (and even some expensive) fingerprint readers do not do very (or
any!) "aliveness" tests - they just read the pattern.

Moreover, many fingerprint readers are simple USB devices and do NOT
authenticate themselves to the computer (or vice versa) - chances are there
is no encryption of the data transmitted either. This makes it very easy
to spoof a genuine reader, do replay attacks, etc.

Nope, fingerprint readers, as currently implemented, are generally very
feeble reeds on which to lean.

Regards,

"RangerFrank" <airbornerangerfrank@gmail.com> wrote in message
news:1122164270.430906.273060@f14g2000cwb.googlegr oups.com...
I say, if someone wants something so bad they are willing to take
your finger . . . I suggest you just give it to them.

--
"When you have to choose between a first-rate company with a
second-rate product and a second-rate company with a first-rate
product, it's never an ideal choice. " -Ed (www.overclockers.com)

"Luc The Perverse" <sll_noSpamlicious_z_XXX_m@cc.usu.edu> wrote in
news:42e2e6a4$0$38354$3a2ecee9@news.csolutions.net :

But if you give 'em the finger, they'll be really pissed off.

j

--
__________________________________________

http://www.impeach-bush-now.org

Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________