Possible to block form fillers?

Question

I have a Delphi (5) application that uses a log-in screen (standard user name/password) and have just found out recently that password storage applications can identify the log-in fields in the screen, even if they are obfuscated, and offer to save the information for the user. Due to the high security nature of our program, we don't want to allow that. So far, I have not been able to find any information on how to block these applications from detecting the fields or telling them not to try. Is either of these options possible? If not, is there another option available?

Answer 1

Demand that your users not use form-fillers maybe? Don't know what kind of control can be exerted over your users' computers.

Or, perhaps find a way to detect whether a plug-in (like Roboform) is installed on the browser, and put up an alert box?

Answer 2

Here's a few thoughts - do you know how the form-filler is working?

1) can you dynamically create the username/password box at runtime? With a semi-random component name? It's not hard to make a couple of components in your login form's create.

2) can you replace the standard edit controls with a keypress state machine, effectively 'faking' the inputs using (for instance) TLabels?

3) Block cut/copy/paste from the edit controls?

4) Override the default message handler for your form, and swallow any keypress event that hasn't 'come' from your app?

Answer 3

I don't think there's a way to differentiate between keyboard events generated inside the device driver and keyboard events generated from another program by using the keybd_event function.

If the form filler is just using copy&paste then it's simple - just block WM_PASTE message.

Answer 4

Users will always find a way to exert control on their own systems. You can just as easily prevent an automatic form filler from working as you can prevent the user from sticking a Post-It note to their monitor.

Deal with the fact that, as long as you trust the user to maintain security, you must handle weaknesses in your users. You can always mitigate this by restricting the abilities of individual users, but in the long run all you can do is hope your users care enough about their own personal information to secure it properly.

On the other hand, if this application is only used from the office, why do the users have password management apps in a secure environment?

Answer 5

You could take the approach used by web applications to make sure that automation utilities can not easily be written to fill out forms. This involves displaying an image with some text in it, that the user must enter prior to continuing. The automation utility that can read "text" on the screen can not read the "graphic" on the screen as easily (at least not without some extensive OCR programming). Most of these programs also warp the text so that a simple OCR pass would fail.

This is fairly easy to do, just create a few dozen or so images of words you want to poll from, pick a number at random when the app first starts (don't forget to seed the random number generator) and then select an image for the user to key in. When performing a match against the image, don't do a literal compare, instead compare against something like the CRC of the word in the image or something like that.

To better secure your users passwords, you can also require them to change them more often. If security is a strong requirement, require strong passwords that must be changed according to a preset standard. For instance, require mixed case, at least one numeric value, at least one symbol, and at least 8 characters. Passwords can not be in the standard dictionary (fails spell check), or have been used in the last n times. Passwords expire after 20 days.

I also would make sure you don't actually store the password in the database. Instead store a hash value of the password. The only one who should know the current password for a user is the one who entered it.