How to prtoect my keystrokes [PHP Login Page]


#1

Hi all,

I am making a login page using PHP, i wonder how can i protect my password from being logged.

For example any keylogger can catch my keystrokes, how to protect it.

I do know that use of virtual keyboard is a solution, but there may be a solution with normal typing. I need your help guys.


#2

keyloggers work on client side, you don't have to worry about that, its the user's responsibility


#3

Thanks for your reply,

but what if i use this login page on computers other than my pc, therefore i want to make my login page secure in a way that any account holder with my website feel free to use it on any pc. I hope you understand my point.


#4

for the keyloggers, you can't secure it. you can use on-screen keyboard though as you said.


#5

@shafiq

Good thought to be responsible for your users. But unfortunately you can't protect them as much as you are desiring.

But you can at least take care in your website's code that it shouldn't be attackable with "Code Injections". It would at least make your website secure for your users being satisfied to give you their personal details. This is very well known and easy to attack specially on the layman's websites which are coded by developers from scratch. Even web development frameworks might leave a loophole which they rapidly test for and patch it up in upgrades.

By the use of "Code Injection" an attacker can do a lot more damages to you and your users at the same time in many different ways. But as you are wandering about the information theft so I would tell only about this way how it works if the attack goes successful.

Most popular way of injecting client scripts permanently in to your website is done by the use of "SQL Injection". However, a successful "SQL Injection" can completely destroy your website but for the particular issue you are asking for, it can collect sensitive users information from your database as well as by the users themselves while they enters any information on your website. Your website can become a KeyLogger itself. You atleast can protect from this to happen.

The attacker resides in your database with a client side script to execute malicious script from within your website when stays on the client's computer and while the users is interacting within your website the information he/she enters is unknowingly passing to the attackers.

What you have to do to protect your website from this kind of vulnerability, search Google with with following keywords. "To protect from SQL Injectiont", "To protect from cross-site scripting", "To protect from code injection"

But you can protect the user only within the boundary from your server to the user's browser. You can't protect them outside of the of the browser in their computer.


#6

One more thing to keep in mind, "There is no such thing as total security, you just have to try your best"


#7

Thank you all:

@KA

good alarm

back to question again

As i have notices on few of the sites, that a keylogger fails to pick keystrokes such as Bank Sites for quic example when we enter user id and password on MCB or SCB virtual banking. keylogger doesnt pick the keystokes... now?


#8

^That's not true... who told you that?

I am not sure about SCB....

But on MCB, they encrypt user credentials inside the browser (encryption algorithm's written in Java Applet which is loaded in browser's memory). It just works to extend the protection on SSL Layer. That is, on MCB's Virtual Banking's Login Page, SSL Encryption is performed on already encrypted credentials (which are encrypted on client side by the Applet).

All the keys you press on https://online.mcb.com.pk/ipc/ can be logged exactly as you press by any good KeyLogger. Don't think that you are safe if there is any KeyLogger in your computer without your knowledge.

To just give it a try, install Free KGB KeyLogger on your machine and access https://online.mcb.com.pk/ipc/. Then check if the KeyLogger detects the keys you stroke or not.

Do not try it on your primary machine. And do not enter correct login information on MCB's login page while you are trying it. I don't believe these sh!ts they might leave their traces in the system even after uninstalling. So be sure what you are doing. You can try it in a virtual machine to be completely safe.


#9

[quote=", post:, topic:"]

for the keyloggers, you can’t secure it. you can use on-screen keyboard though as you said.
[/quote]

KA, what about on-screen keyboard? HBL Internet Banking has on-screen keyboard for entering password.


#10

@KA

O M G

this is really alarming...I will give it a try tomorrow with dummy credentials on MCB, SCB and ATLAS virtual banking, as i have account with these banks.

@Joker

ATLAS also use Virtual keyboard, i will give a try tomorrow and than let u know.


#11

#12

its not about how you can totally protect from keylogging , but best option available is ajax based keyloagger on your page ,

its not hard to made , just few lines of codes

nearly impossible to track keystroke (only if the Keylogger specifically designed for your On-Screen keyboard)


#13

Ok Now Let me Share My Experiance, what i did last night

@ SCB

keylogger captured my password

@ MCB

Keylogger captured my password

@Atlas Bank

Keylogger was unable to capture my keystrokes, as this site uses onscreen keyboard to type the password.

Now the conclusion is

The best available option is to use on-screen keyboard

I hope my above experiance will help you guys.


#14

i told that, before :)


#15

There is a saying in computers that goes like this: If you execute a malicious program on your computer then it is no longer your computer :) What that means is that the creator of the malicious program now has control over your computer and can do anything with it.

However there is something called public key cryptography that you can look into. With this authentication system passwords are not used. Instead a key or certificate file is used to authenticate users. So if you are worried about someone monitoring your keystrokes you can implement public key crypto. But of course if the computer your using is unsafe then your private key could also be stolen.