Skip to forum content
FluxBB.org Forums
Unfortunately no one can be told what FluxBB is - you have to see it for yourself.
You are not logged in. Please login or register.
Active topics Unanswered topics
FluxBB.org Forums » Extensions » [Ext In Prog.] OnScreen Keyboard [Security]
Pages: 1
You must login or register to post a reply
Posts [ 24 ]
- Registered: 2008-05-16
- Posts: 49
Topic: [Ext In Prog.] OnScreen Keyboard [Security]
I'm working on a new extension that will add an onscreen keyboard on your site 
It's a good and secure way to prevent keyloggers to record your key press.
This will also give the users another option to use. So they can select the one they think are the best and secure
Live
I haven't planed on having the onscreen keyboard on that location on the final release, but had to do it right now to make sure it was working. And I also get some css problems if I place it next to the username and password field.
What do you think?
Last edited by PhaxeNor (2008-05-19 19:39:12)
- Franz
- aka lie2815 (Developer)
- Offline
- Registered: 2008-05-13
- Posts: 1,735
Re: [Ext In Prog.] OnScreen Keyboard [Security]
Cool!!! You could make it moveable... just like an extra layer if JavaScript is enabled
http://www.fluxbb.de - Deutschsprachiges FluxBB-Supportforum
- From: Belarus
- Registered: 2008-05-16
- Posts: 39
Re: [Ext In Prog.] OnScreen Keyboard [Security]
interesting
- From: United Kingdom
- Registered: 2008-05-15
- Posts: 52
Re: [Ext In Prog.] OnScreen Keyboard [Security]
I think you should make it so the admin control panel required a log in with this, which would make it more secure.
Musicians Forum
The Community for all musicians and fans.
- Registered: 2008-04-27
- Posts: 2,663
Re: [Ext In Prog.] OnScreen Keyboard [Security]
I can see how it would prevent keyloggers from working, but isn't having a keyboard on the screen less secure in terms of allowing other people to see what you type? Also, if someone has a keylogger on your computer, why can't they monitor network traffic as well?
- Registered: 2008-05-16
- Posts: 49
Re: [Ext In Prog.] OnScreen Keyboard [Security]
Smartys wrote:I can see how it would prevent keyloggers from working, but isn't having a keyboard on the screen less secure in terms of allowing other people to see what you type? Also, if someone has a keylogger on your computer, why can't they monitor network traffic as well?
Well, yea. It's less secure if you use it on public locations, but so is your VISA/Mastercard code when you use it in the mini bank and in the store 
If you aren't carefull enough they can get your code, same with the keyboard.
So it's secure and not secure in many ways.
Not sure about the network traffic, but if they monitor network traffic you are doomed anyway?
- Registered: 2008-04-27
- Posts: 2,663
Re: [Ext In Prog.] OnScreen Keyboard [Security]
PhaxeNor wrote:Well, yea. It's less secure if you use it on public locations, but so is your VISA/Mastercard code when you use it in the mini bank and in the store
The reason I brought it up was that you said:
"This will also make it more secure to login on an internet cafe without setting your account security on a high risk"
My point was that it doesn't, necessarily, it just shifts where the issue is.
PhaxeNor wrote:Not sure about the network traffic, but if they monitor network traffic you are doomed anyway?
I suppose, although you could use Javascript to encrypt the password and lock the cookie to one IP address. Then you would be more secure (although your solution might not always work).
- Registered: 2008-05-16
- Posts: 49
Re: [Ext In Prog.] OnScreen Keyboard [Security]
Okey, understand
But this will give the owners another or more ways to provide their users with a more secure forum
- Registered: 2008-04-27
- Posts: 2,663
Re: [Ext In Prog.] OnScreen Keyboard [Security]
Personally, I happen to disagree: I think it gives the user a false sense of security.
http://en.wikipedia.org/wiki/Keystroke_ … _keyboards
- From: :(){:|:&};:
- Registered: 2008-04-30
- Posts: 113
Re: [Ext In Prog.] OnScreen Keyboard [Security]
Or take it a step further and mix numbers and letters on the same key. Each time you visit the number/letter combination is different.
You can either click your pin or type it with your keyboard by typing the corresponding letter. This is from ING Direct.
Last edited by Dr.Jeckyl (2008-05-19 19:56:58)
- Registered: 2008-05-16
- Posts: 49
Re: [Ext In Prog.] OnScreen Keyboard [Security]
Well, it's a work in progress. It might be different from now. thanks to you guys
- From: South Yorkshire, England
- Registered: 2008-05-06
- Posts: 991
Re: [Ext In Prog.] OnScreen Keyboard [Security]
PhaxeNor wrote:But this will give the owners another or more ways to provide their users with a more secure forum
I think describing it as an alternative method of logging in would be preferable and more truthful than using the term secure.
Screw the chavs and God save the Queen!
- Registered: 2008-05-16
- Posts: 49
Re: [Ext In Prog.] OnScreen Keyboard [Security]
MattF wrote:PhaxeNor wrote:But this will give the owners another or more ways to provide their users with a more secure forum
I think describing it as an alternative method of logging in would be preferable and more truthful than using the term secure.
Next time 
Thanks tho
- From: Paris, France
- Registered: 2008-04-30
- Posts: 531
Re: [Ext In Prog.] OnScreen Keyboard [Security]
It's a pain in the ass to use.
Following that false sense of security, my online banking services switched their login auth to an on-screen keypad. And they even scramble the order each time. It's a huge pain to use.
- From: The land of lost content
- Registered: 2008-05-10
- Posts: 29
Re: [Ext In Prog.] OnScreen Keyboard [Security]
I think it is like putting a lock on a door ... a good idea! But locks don't stop everyone.
- From: South Yorkshire, England
- Registered: 2008-05-06
- Posts: 991
Re: [Ext In Prog.] OnScreen Keyboard [Security]
PhaxeNor wrote:MattF wrote:I think describing it as an alternative method of logging in would be preferable and more truthful than using the term secure.
Next time Thanks tho
I wasn't meaning it in an offhand fashion, btw.
Screw the chavs and God save the Queen!
- Registered: 2008-05-16
- Posts: 49
Re: [Ext In Prog.] OnScreen Keyboard [Security]
MathsIsFun wrote:I think it is like putting a lock on a door ... a good idea! But locks don't stop everyone.
A lock is better than nothing, yes?
MattF wrote:PhaxeNor wrote:MattF wrote:I think describing it as an alternative method of logging in would be preferable and more truthful than using the term secure.
Next time Thanks tho
I wasn't meaning it in an offhand fashion, btw.
I know, but thats how I was reading it
- From: Germany
- Registered: 2008-05-16
- Posts: 342
Re: [Ext In Prog.] OnScreen Keyboard [Security]
To make network monitoring useless: Don't send the plaintext password, but the sha1 hash generated with JS
FluxBB, the PunBB of tomorrow - today!
- Registered: 2008-04-27
- Posts: 2,663
Re: [Ext In Prog.] OnScreen Keyboard [Security]
damaxxed wrote:To make network monitoring useless: Don't send the plaintext password, but the sha1 hash generated with JS
You are then vulnerable to a replay attack (someone sends the request again). The way to deal with that is to hash the password along with the current time, pass the current timestamp, and let the server validate it based on that (and disallow any times more than, say, 5 minutes off).
- From: Germany
- Registered: 2008-05-16
- Posts: 342
Re: [Ext In Prog.] OnScreen Keyboard [Security]
Aaaah I see.. But the possibility of sending the request again is possible in both cases, isn't it? (when password is plaintext, too)
FluxBB, the PunBB of tomorrow - today!
- Registered: 2008-04-27
- Posts: 2,663
Re: [Ext In Prog.] OnScreen Keyboard [Security]
No, the second case does not allow for a replay attack. However, it still does allow for someone to steal the cookie. But as I said before, it is possible to "lock" the cookie to one IP, which would limit the ability of the person to use the cookie.
- From: Germany
- Registered: 2008-05-16
- Posts: 342
Re: [Ext In Prog.] OnScreen Keyboard [Security]
This excludes users of special proxy tools like TOR, doesn't it?
FluxBB, the PunBB of tomorrow - today!
- Registered: 2008-04-27
- Posts: 2,663
Re: [Ext In Prog.] OnScreen Keyboard [Security]
It would exclude anyone whose IP address changes within a session. I don't work with TOR, but if each request comes from a different exit node, then yes.
- From: :(){:|:&};:
- Registered: 2008-04-30
- Posts: 113
Re: [Ext In Prog.] OnScreen Keyboard [Security]
Jérémie wrote:It's a pain in the ass to use.
Following that false sense of security, my online banking services switched their login auth to an on-screen keypad. And they even scramble the order each time. It's a huge pain to use.
That right there makes it a bit more secure I would assume. Kinda like the CAPTCHAS that are so hard to read that you have to refresh them a couple times to get one you can read. Not perfect but takes a human to use it.
Last edited by Dr.Jeckyl (2008-05-22 22:56:29)
Topic options
RSS topic feed
Pages: 1
You must login or register to post a reply
FluxBB.org Forums » Extensions » [Ext In Prog.] OnScreen Keyboard [Security]
