From: Bill Stewart <stewarts@ix.netcom.com>
Date: Thu, 19 Dec 1996 00:27:08 -0800 (PST)
To: cypherpunks@toad.com
Subject: Password Keystroke Snarfer Programs
Message-ID: <1.5.4.32.19961219082542.003d493c@popd.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


Several articles on the PGP-users mailing list have discussed
keystroke snarfers that unexpectedly grab and save keystrokes,
including passwords, severely weakening any benefits from encryption.
taoboy <taoboy@sprynet.com> mentioned Mac programs FileGuard and 
HiddenOasis and the SpellCatcher spell-check program's Ghostwriter feature,
which he'd noticed had stuck his password into a disk file;
he suggests that Windows machines probably have similar surprises.

From: patm@connix.com (Pat McCotter)
> Which is why, every once in a while, I do a search of my entire disk for my
> PGP pass phrase and various other passwords I use. [....] I do this with
> Norton DiskEditor.  I have to upgrade to do this on my Win95 machine which I
> understand is much worse than Win3.x in this area.

Be careful - PGP goes to a lot of effort to overwrite your passphrase
when it's done using it; Norton or grep or other disk-crawlers are unlikely
to do so, because that sort of paranoia's not part of their job,
and simply typing in a command in a command window will often get it saved
in a command history file.  So your search for the passphrase on disk makes it
_more_ likely that some program will stash it on your disk...
You could work around this by using a complex passphrase and adding a 
distinctive word to the end, e.g. "mumblefrotz foobaroid zarquon FINDTHIS",
which doesn't become much less secure if the FINDTHIS gets left on the disk
from your "grepemall FINDTHIS c:" command.

#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
#     (If this is a mailing list, please Cc: me on replies.  Thanks.)