I’ve seen some password revealing software. Most of them has a shooting pointer like pointer and you can just point the password text box and the software is revealing the password.
But still the protected software and the revealer software are not interconnected. They are separate processes running on the same host.
My queries are,
- How does a one process access the other software’s information?
- What are the limitations of it?
- What are the practices that I can use for prevent this?
Edit : Yes, Keeping a password with dummy data is the mostly used solution for this. But still the same theory can be applied to some other case right? As an example an external program can read your emails, A spy program can record your activities etc. And even we can implement some cool features like drag and drop support to IE to Mozilla 🙂
So in this case the most effective
solution would be a “Blocking”
mechanism. Is there anyway to do this? (Avoid accessing the process’s resources???)
As silky said it’s just a matter of sending windows messages, there is a very simple source that reveals all password fields at once. A simple countermeasure would be a password field that holds dummy characters instead of the real password. You can capture what is being typed, store it in a variable and replace it with the dummy character in your password field.