AceBIT

I like the virtual keyboard in PD3. However, it seems to be available only for opening a local file. It is NOT available for entering passwords for an internet and/or PD Server. This is ironic since accessing a server remotely (from a foreign or untrusted computer) would benefit more than opening a local file on a trusted computer.

Any plans to add the virutal keyboard feature for all passwords, including PD Server and Internet server passwords?

You can open the virtual keyboard by clicking the small "blue keyboard" next to the input field for the master password.

The Pasword Depot Virtual Keyboard is an option for you to use on your own computer!
Virtual Keyboards are not always secure on Untrusted computers such as Internet cafes or over Internet

(http://en.wikipedia.org/wiki/Keystroke_logging)
On-screen keyboards

Program-to-program (non-web) keyboards

It is sometimes said that a third-party (or first party) on-screen keyboard program is a good way to combat keyloggers, as it only requires clicks of the mouse. However, this is not true, because a keyboard event message must be sent to the external target program to type text. Every software keylogger can log the text sent as typed characters from one program to another with an on-screen keyboard, and additionally, some programs also record or take snapshots of what is displayed on the screen. (Screenshot recorders are a concern whenever entire passwords are displayed; fast recorders are generally required to capture a sequence of virtual key presses.)

Web-based keyboards

Web-based on-screen keyboards (written in java scri_pt, etc.) may provide some degree of protection. At least some commercial keylogging programs do not record typing on a web-based virtual keyboard. (Screenshot recorders are a concern whenever entire passwords are displayed; fast recorders are generally required to capture a sequence of virtual key presses.)

Hello,

Thanks a lot for your article. Your are right, of course there is always a higher risk when you use your password depot on a computer that is not your own. Password Depot does have some very nice features to prevent spyware or trojans from getting your masterpassword, but it does NOT replace a good firewall+antivirus/spyware-software or even "common sense".

______________________
Best regards
Mirko - AceBIT - Support -

Using your Password Depot with existing passwords from a USB Drive in Interrnet Cafe's etc I believe to be a good secure choice

To make your windows computer secure go through following checks & suggestions
Check your computers security (free)NOW!
Keep Windows UPDATED
AVG 7.0 Free Edition Anti-Virus
Check your computer for "SpyWare" (free MS Product)
a good firewall for windows(free version available)
Use a Password Saver on USB removable drive to store passwords

Just to add
PassWord Depot is what is termed a "Automatic form filler program" Secure in use on untrusted computers from a USB device. Always scan any computer with a anti-spyware detection program beforehand

Include these USB devices in regular security scans for viruses and trojans though. Also turn on USB's Write Protection Once Password Depot with its/your secure passwords,that have been done/made from a/your trusted computer

"Automatic form filler programs"
Automatic form-filling programs can prevent keylogging entirely by not using the keyboard at all. Form fillers are primarily designed for web browsers to fill in checkout pages and log users into their accounts. Once the user's account and credit card information has been entered into the program, it will be automatically entered into forms without ever using the keyboard or clipboard, thereby reducing the possibility that private data is being recorded. (Someone with access to browser internals and/or memory can often still get to this information; if SSL is not used, network sniffers and proxy tools can easily be used to obtain private information too.)

It is important to generate passwords in a fashion that is invisible to keyloggers and screenshot utilities. Using a browser integrated form filler and password generator that does not just pop up a password on the screen is therefore key. Programs that do this can generate and fill passwords without ever using the keyboard or clipboard

Hello,

thanks a lot for this information - it might be very useful for some of our forum users.

______________________
Best regards
Mirko - AceBIT - Support -

Thanks for helping us be more secure. However, my post was a direct question about a feature and not meant to be a statement about when and where to use a virtual keyboard. I don't plan on using PD at an internet cafe, but I do plan on using it over the internet. What is the point of having a PD Server if you never access it over the internet?

Also, I understand that the PD virtual keyboard is "built in". It does not use traditional method of sending keystrokes to the password fields, but can internally update the fields without sending keyboard messeages, etc. Although your article is good to know, it may not apply as much here.

Thanks for the response, but my point is that the "small 'blue keyboard'" does not exist on all screens where a password can be entered.

Try this:
1. Run PD
2. Click the "Select List" button on the first window that appears.
3. Click on the "Password Depot Server" tab
or
4. Click on the "Internet Server" tab and then the "Add..." button

* Notice that there is no "small 'blue keyboard'" by the password field. Also, there is no "virtual keyboard" link at the bottom of the dialogue.

Hello,

In the tabs you mentioned you can choose the desired password lists. After they are loaded the interface should switch back to the login dialogue, where you can use the virtual keyboard to enter your master password.

________________________
Best regards,
- Acebit support -