Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:55 AM
Connect Directly

Free 'Trojan-Proof' Password Tool Released for Windows

Beta virtual keyboard software aims to ward off password-sniffing Trojans, malware

A trio of German software firms claims to have developed a password system that prevents Trojans and viruses from stealing passwords from a Windows machine.

The “Trojan-proof” virtual keyboard software, which was developed by Global IP Telecommunications, PMC Ciphers, and CyProtect AG, is available in a free beta version for download.

"This development can make input of PIN codes and transaction numbers for online banking completely safe in the near future," said C.B. Roellgen, creator of the password dialog and CTO of PMC Ciphers, in a statement.

It works like this: the software flashes a virtual keyboard onto the video display that flickers the characters on and off at high speeds, with the keys displayed in random locations on the screen rather than as a standard Qwerty keypad. As soon as the user types a character in his or her password on the virtual keyboard, that key is moved to another location on the keyboard.

In a demonstration of the technology, the simulated Trojan was only able capture “skin of the dialog window” and not the actual key characters making up the password code, according to the developers. And their high-powered Trojan simulator ate up about 11 percent to 15 percent of the machine’s CPU.

“A real Trojan horse must be programmed to consume less than one percent of CPU time in order not to be detectable by professionals,” the developers say in a video demonstration of the software.

Bernd Roellgen with PMC Ciphers and Global IP Telecommunications, says the developers wanted to fill in the gap of existing Trojan protection solutions. "We found that there wasn't a solution so far that was software-only," Roellgen said in an interview with Dark Reading. So that's the approach the developers took, he says.

But security expert Thierry Zoller, product manager and senior security engineer for n.runs AG, says that though he hasn’t tested the software, he doesn’t think it would be completely Trojan-proof. “The video shows that they use certain dithering tricks to foil screen cams to record what button has been pressed. This is nice, but surely not every way to find what keys have been pressed, not to mention there are DirectX-based screen recorders, which I doubt would not register these tricks,” he says.

This new virtual keyboard is not the first attempt at preventing password sniffing, either. “Attempts to prevent password sniffing have been appearing in various forms for years,” says Nate Lawson, principal with Root Labs. “There's no perfect solution to this problem. The best thing to do is vary the scheme occasionally, based on what attackers are doing and try to keep Trojan software off PCs in the first place.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...