IDEA: Temporary Access

[Uncle John]

40Hz was wondering where I was headed with my "Self destruct" idea. Seeing that he put us onto the very useful "Dead Man's Switch" app I thought it only fair to share the next step in my project with everyone.
The idea for this project came from two other projects: Keepass portable and Keeform. Keepass portable has a very useful feature that enables you to drag and drop hidden passwords. You can drag and drop a password onto a web page input field for example. Keeform lets you do the whole thing automatically.
There are times when you would like people to access password protected resources but also limit the time they can access the resource.
Keepass and Keeform don't cater for this very well for a number of reasons:
1. You need the entire applications plus the master password to make use of these features
2. Keeform only works for IE.
3. Once you get into Keepass you can "unhide" the password.
My idea is that a program that includes a selection of the features in Keepass and Keeform, runs off a USB drive and "self destructs" after a preset time would overcome these problems. The user would simply click on an icon on the USB drive. The app would then take the browser to the specific web page and automatically log in.
Keepass uses CSecureEditEx code to secure edit controls and CodeProject shows how it could be used in a project.
I've been tempted to give it a go but I figure I will die of old age b4 I get it working.

 

[f0dder]

"Self destruct" will never work - there will always be a way to bypass it. Refusing to activate based on time is also trivial to bypass. And even contacting a server for decryption keys (which will grant or refuse based on time/whatever) can be bypassed, although that's a bit trickier.

Depending on your exact needs, some of these problems might be acceptable, though.

[Uncle John]

Any thoughts on CSecureEditEx?

[f0dder]

Any thoughts on CSecureEditEx?

-Uncle John (October 13, 2008, 05:00 PM)

Good idea not using the default EDIT control, but I would probably have done things differently implementation-wise... Also, I'm a big fan of being able to "show contents instead of asterisks" for password controls, but obviously in the way that enabling the feature clears the current contents of the control.

[Uncle John]

There might be a much easier way to achieve what I'm after. I noticed the following article that describes a simple program: herley-poster_abstract. It would seem much easier than implementing edit controls.

[Uncle John]

Easier still is what I'll call the three steps forward three steps back method (see: non-technological methods in Keystroke logging ).
Auto Form Filling would be nice but Auto Field filling would be sufficient.
I'd suggest that the Autohotkey program that does the field filling should first check whether "Dead man's switch" is present before executing. This would help prevent the use of the password by anyone other than the holder of the USB drive.
I hope someone (Skrommel perhaps?) has a go at this.
After I test the device and see that it works as intended I'd like to share part 3 of my project with everyone.   

[Uncle John]

Oh. Silly me keystroke logging is only a problem when the keyboard is used to enter the password. Since my idea is to enter the password automatically I don't have to worry about methods for defeating keystroke logging.
I've found an Autohotkey program that will do most of what I'm after at AutoFiller all that is needed now are a few modifications....
 

[Uncle John]

I'm glad I put the pursuit of this project on hold for a while. I've found that someone else has already done what I was hoping to accomplish: How to pwn with U3 Hack