About Jeroen
Contact
FAQ
Status
Todo in my life
His Blog
Articles
Photo Gallery
Outdoor:
  Recumbing
  Running
Software:
  jnitodo
  squidefender
  Wormwarner
Latest books read:
  • Lincoln Child - Deep Storm
  • Lee Child - The Hard Way
  • Mike Lawson - Dead on Arrival
  • Preston & Child - Still Life with Crows
Latest movies seen:
  • Death Race
  • The Objective
  • Deception
  • Hellboy - The Golden Army


23 September 2008

yellowbullet 20:55: Today it is 5 years ago that I registered the jeroen.se domain.
more

25 August 2008

yellowbullet 17:46: Since a few weeks I use the jnitodo todo list manager for managing my todo list. jnitodo was written by myself, so it matches my requirements quite well and it might match yours!
more

13 August 2008

yellowbullet 12:51: Yesterday I ran into a bug in my Samsung S1060 digital camera. If you press the view photos button while the red-eye flash pictogram is flashing white and red it hangs and becomes unresponsive.
more

11 August 2008

yellowbullet 12:59: While migrating my account to another machine which uses openldap authentication I ran into the problem that cron were not working on the new machine. A quick look in the logs revealed the following error:
more

29 July 2008

yellowbullet 17:50: I often get the question how I manage to survive my long commute time during the week. This question is often raised when in a conversation it becomes clear that I travel over 4 hours per day by train. In this blog post I will try to give a small insight in how I manage this.
more

09 July 2008

yellowbullet 13:23: Just a quick blog post about how to run a command like uptime in more than one screen window. Just do crtl-a then
:at "#" stuff "uptime\015"
more

28 June 2008

yellowbullet 21:58: I just reached the 1000 kilometer mark with my recumbent bike. It took me 46 hours and 24 minutes, averaging a 21.55 km/h speed. The last month however my average cycling speed is increasing, so I should do the next 1000 kilometer in less time.
more

Randomness can decrease your security

20 February 2007 - In November 2006 I ran across an article from Cormac Herley and Dinei Florencio from Microsoft Research about How To Login From an Internet Cafe Without Worrying About Keyloggers. Their method is based on typing a character of your password in the password field, then some number of random characters in an other application or part of the browser. And repeat this until you have full you typed your password. Although this method makes it harder for an attacker to sniff your password with a keyboard sniffer, it certainly does not make it impossible.

First of all many people have mentioned before that a keyboard sniffer can also sniff mouse clicks and hence it can be determined when a user clicks away or to the password field. This however can be easily solved by just clicking with the mouse after every character that is entered.

However a second problem with their method exists. This problem has to do with their use of random data between password characters. When we can sniff more than one session in which the user has to enter the password. We can filter out this randomness. I.e. lets assume that a user typs pfadsos.wromredu in the first session and ptabsescwyotrudw in the second session it is relatively easy to spot that the password is password. Although the analysis required, will be more difficult in a real-life situation it is certainly not impossible. How more sessions can be sniffed, how easier the analysis will become. Just a matter of creating graphs with which letter can reasonably follow which letter.

The solution to the second problem is however simple. Do not use random characters. If you always type the password posswerd as p>oaonesidisleowitooejerdud. With of course mouse clicks between each letter. There is no way statistical analysis can filter your password out of it. In short, sometimes using random data decreases your security.

Picture of me

Everything I say on these pages are opinions, they are not necessarily the truth.
Commercial use of the data on this site without permission is strictly prohibited.
Unique number: fc38fc2c1347a9824cef263d20748ced
7:06AM up 40 days, 21:34, 5 users, load averages: 0.11, 0.13, 0.06 		XML
Powered by FreeBSD Generated by a bunch of M4 macros on Wed Oct 1 03:09:03 CEST 2008
$Id: randomness_can_decrease_security.m4 2194 2008-06-27 20:09:03Z jnieuwen $
© 2002 - 2008 Ir. Jeroen van Nieuwenhuizen
I know I'm not perfect but I can smile.