nthdimtech / signet-client

Client code for Signet and Signet HC
https://www.nthdimtech.com/signet
GNU General Public License v3.0
19 stars 8 forks source link

Built in on-screen keyboard #34

Open sotpapathe opened 6 years ago

sotpapathe commented 6 years ago

Entering your Signet encryption password in a hardware keyboard could potentially lead to its interception by keyloggers or similar software. For added security, an on-screen keyboard could be added to the Signet desktop client in order to bypass the hardware keyboard. For extra security, the positions of the keys of the on-screen keyboard could be shuffled around each time it is used.

nthdimtech commented 6 years ago

Interesting idea.

I've decided to not pursue security measures that involve trying to contain data within a compromised system. They have value but not enough for me to prioritize them. As I see it they are redundant given the button press confirmation requirement. The master password, even if intercepted, can't be used without the user's participation. That said, I will accept pull requests for features like this however if they can be turned on and off from settings.

sotpapathe commented 6 years ago

Of course such a feature would not be a priority right now. I mainly added it for future consideration. As for the use case, what I had in mind was mainly an untrusted computer, such as a work or friend's computer, where you wouldn't mind exposing one or two specific password but possibly giving away your encryption password would be too much.