Found this via Stumbleupon:
Looks like a good candidate for defeating keyloggers, etc.
Anyone want to put them in production? I’ll buy.
2 Likes
It’s not clear, and he certainly doesn’t claim, that this would defeat a standard key logger. It’s more a password manager that is kept are from the internet and any malware you’ve picked up.
Even if some key loggers would miss it, one could still certainly be written that picks up the characters as they arrive at the application (and this may well be how some already work anyway - I don’t know how they work, but can see that is one possible way).
The only way to defeat all key loggers (that I can think of) is for credentials to be passed to the application in encrypted form, which requires an agreed interface between some kind of hardware or biometric key and the application itself (e.g SAFE Launcher).
This would be a great project - and could I imagine use existing hardware keys such as Trezor - just requiring the SAFE Launcher to have code added to support them.
I think an adapted Trezor may be similar to this device. I liked this because it’s pretty cheap to put together.
From my (limited) understanding, a key logger can be defeated by an on-screen, point and click keyboard, since it’s graphical. This thing would be much the same, only more so.
Not to say that that something that’s wormed deep in your device can’t read the fields directly. It’s honestly mostly above my head technically, but think a hardware device like this or a Trezor could give a pretty good level of security, though not easy enough yet for the masses.
My understanding of this device is that it feeds plaintext passwords in to the app, which if intercepted cause loss of credentials. Your point and click method is a way of avoiding this, but not what this device does I think - its a password store, much like LastPass, online offline and in hardware.
Whereas Trezor is not sending passwords but uses some kind of key based handshake directly with the app (which means even eavesdropping on the key exchange won’t help a keylogger or malware gain access).
Thanks for the clarification.
Even without this sort of thing, our level of security is increased with the SAFE network, but making some lockout on creds being stolen on a local level (easily) will go a long way to adding confidence.
Yes, I think we need to address credential security very early on - support for Trezor and similar (ie multiple options) certainly, but also cheaper and easier less “hardened” options too. As the code is open, hopefully other developers will jump in so MaidSafe aren’t the only people building on the launch system! 
2 Likes