dcsimg
Results 1 to 25 of 25

Thread: Anti Unmask Password Char On TextBoxes

  1. #1

    Thread Starter
    Hyperactive Member
    Join Date
    Dec 2013
    Posts
    320

    Exclamation Anti Unmask Password Char On TextBoxes

    Hi everyone,

    I don't know if this question have been asked here before.
    but is been a while since I want to create a project that could help me add an option to
    prevent other apps from showing or unmasking my password char on my form textboxes.
    Code:
    Dim TimeToEnd As Boolean
    Private Sub Form_Load()
    Form1.Show
    Do
    DoEvents
    If Text1.PasswordChar <> "*" Then Text1.PasswordChar = "*"
    Loop Until TimeToEnd
    End Sub
    
    Private Sub Form_Unload(Cancel As Integer)
    TimeToEnd = True
    End Sub
    For a simple example I tried the code you see above.. but it is very vulnerable.
    it gets defeated with this: nRet = SendMessage(hWindow, EM_GETPASSWORDCHAR, 0&, 0&)
    does any one know a better way? would be nice if I could get some help with this project.
    thank you guys

  2. #2

    Thread Starter
    Hyperactive Member
    Join Date
    Dec 2013
    Posts
    320

    Re: Anti Unmask Password Char On TextBoxes

    Good idea Sarah, but there is a problem for me about using this idea.
    I already know how to encrypt and decrypt, but this tip won't apply for me, and let me explain why...
    This is a form I will be sending to other computer remotely, then from my machine, I, myself,
    will be typing a password into that form textbox field, my intention is that if someone try to unmask it,
    to prevent it. but after that I will be facing another problem.. since I will be typing into the textbox field..
    I also would like to add some other way to also prevent keylogging.

  3. #3
    Banned
    Join Date
    Oct 2016
    Posts
    52

    Re: Anti Unmask Password Char On TextBoxes

    Not worth helping u
    Last edited by sarah211; Nov 4th, 2016 at 02:11 PM.

  4. #4
    PowerPoster
    Join Date
    Feb 2006
    Posts
    20,719

    Re: Anti Unmask Password Char On TextBoxes

    One of the easiest steps in hardening applications against hijacking of this nature is to make use of the Microsoft Windowless Controls 6.0 (MSWLESS.OCX). This has a number of alternatives controls, such as a WLText control that accepts a PasswordChar property.

    To install this OCX you need to find it on your VS/VB 6.0 CDs, it is not installed as part of the default VB6 setup.

    You can also create your own windowless UserControls to make additional controls. These do not have an hWnd making them far tougher to hijack.

    There are other things you can do that involve subclassing and fencing off many window messages via the ChangeWindowMessageFilter function and related calls. That's a bit more work, doesn't help in all scenarios, and has some risks (see The dangers of filtering window messages).


    Such hijacking techniques are the desktop equivalent of web scraping, often used to subvert application licensing or outright steal data or security credentials, and just as immoral when even legal at all.

    It is disappointing to see so many script kiddies posting here lately on both web scraping and application hijacking. This is why so many professional programmers don't visit VBForums as much anymore. Many have moved off to invitation-only deep web sites like those run under the auspices of various programming professional organizations.

    As UseNet groups have crumbled the rabble have moved in here in earnest over the past 18 months. Since moderation here seems unable to stem the tide people voted with their feet.

  5. #5
    PowerPoster
    Join Date
    Jun 2015
    Posts
    2,224

    Re: Anti Unmask Password Char On TextBoxes

    I wouldn't take any security advice from someone who thinks base64 is an encryption algorithm.

  6. #6
    PowerPoster
    Join Date
    Feb 2012
    Location
    West Virginia
    Posts
    12,999

    Re: Anti Unmask Password Char On TextBoxes

    Seems an odd question to ask. What good would it do for someone to unmask your password field anyway? I mean all that would allow them to do is see the characters in the text box. You do know that they can be retrieved even when masked right? The purpose of masking the characters is so an onlooker can't see what you have typed into the password field.

  7. #7
    Banned
    Join Date
    Oct 2016
    Posts
    52

    Re: Anti Unmask Password Char On TextBoxes

    Quote Originally Posted by DEXWERX View Post
    I wouldn't take any security advice from someone who thinks base64 is an encryption algorithm.
    this is why todays people i that love harming people put hidden php base64 and other encryption , so you have spent so much time trolling all over my post why can i ask ?
    i have gave him suggestions what did u give ? what!! am trying to help this guy and your just an ass trolling

  8. #8
    Fanatic Member
    Join Date
    Dec 2014
    Posts
    832

    Re: Anti Unmask Password Char On TextBoxes

    so, you will be sending a program to another computer and remotely you will access this program that is password protected?
    you know that visual basic program can be decompiled? if you have a password stored it can be easily accessed.

    i would go with 2 programs, the client (the one you have at home) and the server (that you have somewhere else).
    everything is stored at your home, you don't leave anything in the "remote" location.
    not sure what you are trying to do remotely that needs protection. but no matter what you do, a good hacker will crack it.

  9. #9

    Thread Starter
    Hyperactive Member
    Join Date
    Dec 2013
    Posts
    320

    Re: Anti Unmask Password Char On TextBoxes

    dilettante
    "It is disappointing to see so many script kiddies posting here lately"
    I don't get it dilettante, if you shared your two cents of collaboration, then why bother posting that insult?
    but on the other hand, script kiddies like us are what still keep VB6 running and not forgotten. Thanks anyway.

    DataMiser
    Seems an odd question to ask.
    Nothing is odd when it comes to programming.

    DEXWERX
    I wouldn't take any security advice from someone who thinks base64 is an encryption algorithm.
    Thanks DEXWERX

    Thanks for your posts Sarah.

    baka
    so, you will be sending a program to another computer and remotely you will access this program that is password protected?
    Thats correct baka, but the other computer is also mine, is on my network.
    My project is a two forms, one with a textbox where I type the password, which if I type the right password the form hide and show form2.
    and as for decompilation? ...not to worry, it is stored in the form, but very encrypted.

  10. #10
    PowerPoster
    Join Date
    Feb 2012
    Location
    West Virginia
    Posts
    12,999

    Re: Anti Unmask Password Char On TextBoxes

    The question really does not make any sense. Seems like a waste of time to even try.

  11. #11
    Fanatic Member
    Join Date
    Dec 2014
    Posts
    832

    Re: Anti Unmask Password Char On TextBoxes

    if its your own network, i dont get it why you need protections.
    just send a hide/show command and your done.

  12. #12
    PowerPoster
    Join Date
    Feb 2012
    Location
    West Virginia
    Posts
    12,999

    Re: Anti Unmask Password Char On TextBoxes

    Quote Originally Posted by baka View Post
    if its your own network, i dont get it why you need protections.
    just send a hide/show command and your done.
    not only that but if someone where to unmask it only someone standing nearby while the password is typed would be able to see it.

    Do we suddenly have a rash of hackers that use their cell phones to unmask password entry boxes so they can see our passwords as we type them and wouldn't the user know this is happening as soon as the **** disappeared?

    Oh well... I will bow out of here as this seems pointless

  13. #13
    Banned
    Join Date
    Oct 2016
    Posts
    52

    Re: Anti Unmask Password Char On TextBoxes

    Quote Originally Posted by Coding View Post
    I don't get it dilettante, if you shared your two cents of collaboration, then why bother posting that insult?
    but on the other hand, script kiddies like us are what still keep VB6 running and not forgotten. Thanks anyway.


    Nothing is odd when it comes to programming.


    Thanks DEXWERX

    Thanks for your posts Sarah.

    NOT TO U CODING...

    Thats correct baka, but the other computer is also mine, is on my network.
    My project is a two forms, one with a textbox where I type the password, which if I type the right password the form hide and show form2.
    and as for decompilation? ...not to worry, it is stored in the form, but very encrypted.
    NOT TO U CODING. EVEN U TRIED TO SHOW IN OTHER POST AM DOING BAD STIL I FORGIVE , SE HOW THEY THINK ABOUT US PEOPLE THESE GRANDADS
    se we are here for help and they call us script kiddies ,
    LOOKS LIKE BIG BUNCH OF GRAND DADS SITTING AROUND IN VB6FORUMS AWAITING TO TROLL POST AND ATTACK RATHER THEN HELP

    I POST WITH A NEGETIVE REPLY AND NON RELATIVE WILL BE CONSIDERED AS INSULT AND WASTE OF TIME , I THINK GRAND DADS HAVE LOST HIS OR HER TEETH ALSO.

  14. #14
    Super Moderator si_the_geek's Avatar
    Join Date
    Jul 2002
    Location
    Bristol, UK
    Posts
    41,265

    Re: Anti Unmask Password Char On TextBoxes

    sarah211, please calm down.

    I know there was some provocation, but your responses were dramatically worse - and are not acceptable for this site.

    While I can see that you were trying to help, your suggestions were either not really solutions (eg: while base64 may hinder some people with very limited knowledge, it is encoding [extremely easy to get back] not encryption [at least hard to get back]), or were totally unacceptable (hacking and spamming are not suitable topics for this site, or for people who care about the law - and are definitely something that can be referred to as script kiddie activity).

    Rather than hitting out at those with more experience, try learning from them, as there are some good suggestions above. While you may have ideas of how to possibly do something, people with more experience will often discount the ideas proposed by newer people, not because those people are new (or anything personal), but because the ideas themselves are actually not that good (there are often simpler and safer methods).

    When people point out the flaws in your ideas, instead of taking their knowledge as an insult, take it as the constructive criticism it actually is. While it may not be what you want to hear, pointing out the flaws in your ideas is helpful - not only to you (because you can learn and improve), but also to anyone who is looking to solve a problem and reads your post (because they can tell it isn't actually a solution for them).

  15. #15

    Thread Starter
    Hyperactive Member
    Join Date
    Dec 2013
    Posts
    320

    Re: Anti Unmask Password Char On TextBoxes

    DataMiser
    The question really does not make any sense. Seems like a waste of time to even try.
    You don't have to try DataMiser, in my case it is not waste of time, if it was, I wouldn't be trying to.

    baka
    if its your own network, i dont get it why you need protections.
    This is a test baka, just like any one would. the final project would be an administrator tool that only one person would have access to it.

    I have always noticed that people who seen to know more than others are constantly trying to make fun of others by calling their stuff pointless and useless projects. thats a bad habit.

    I don't think my project is pointless or useless, at least it will come very handy to me if I get to accomplish it.
    My project is not about hacking, the first programers who came out with this idea was Yahoo! Messeger back in 2001.
    then Skype and other messengers did the same. my project is usefull so others could add this same feature to their tools.
    since am here in this forum I have asked about dll injection and they thought I was hacking, then I asked about dll and menu hooking, the same thing.
    I think that this forum should be more open wide when it comes to helping others, it is not always about hacking, cracking, patching, etc.
    in my case if I had the answer to all the question people ask in this forum, I would donate 4 hours of my time to help others.

    Thanks Sarah.

  16. #16
    Fanatic Member
    Join Date
    Dec 2014
    Posts
    832

    Re: Anti Unmask Password Char On TextBoxes

    about your textboxes/mask.
    theres many ways to create a "login", you don't need to use the keyboard at all.
    here an example:

    the remote program creates a frame that is generated each time you start it. the frame contains (randomly placed) different objects of your choosing,
    could be color boxes, circles, letters, numbers, symbols, whatever.
    now, the "password" is the right combination, where you click on the right object in the right order. successful doing so will login.

    about "borderline" programming. if you want help with something that "seems like hacking", you better try to make a good case.
    explain carefully what you need, post scripts/projects so that people can take a look.
    if someone don't want to help its up to them, i have a few thread that nobody answers me, but i dont go around accusing people for that.
    i dont pay, nobody gets payed. its free. i can only hope that someone will help me, but i cant be angry if they decide to not do so.

  17. #17
    Super Moderator si_the_geek's Avatar
    Join Date
    Jul 2002
    Location
    Bristol, UK
    Posts
    41,265

    Re: Anti Unmask Password Char On TextBoxes

    Quote Originally Posted by Coding View Post
    My project is not about hacking,
    Agreed, this thread is about the opposite. I don't think anybody disputes that.

    I don't think my project is pointless or useless,
    That is debatable, but you are certainly welcome to your opinion - and I certainly wouldn't want to stop you.

    While others may think it is a waste of time or similar, it is your time to spend.

    since am here in this forum I have asked about dll injection and they thought I was hacking, then I asked about dll and menu hooking, the same thing.
    Those things (and several others) are primarily used as hacking techniques, but can also be used for non-malicious purposes (which is why they exist).

    People tend to question their usage, as there are often easier/better ways to do the same things. That isn't accusing people of hacking, but trying to find the right solution to the problem.

    I have always noticed that people who seen to know more than others are constantly trying to make fun of others by calling their stuff pointless and useless projects. thats a bad habit.
    I am aware of what you mean, but it is not making fun of people, it is trying to put them on a better path (either using methods that are better for the situation, or explaining why something actually cannot work so it is better to work on other things, or even in some rare cases [not this one!] get hackers to stop).

    I think that this forum should be more open wide when it comes to helping others, it is not always about hacking, cracking, patching, etc.
    This site is wide open for helping with non-malicious things, and is closed (and always will be) for malicious things.

    There are some things that are grey areas, and those tend to be allowed and get some degree of help as long as the person asking for help is willing to be reasonable about it like you are (including responding to peoples questions, and describing what they want to achieve rather than just the method they are trying to use). When people refuse to be reasonable (which happens sometimes), it understandably raises all kinds of warning flags.

    If I had the answer to all the question people ask in this forum, I would donate 4 hours of my time to help others.
    Many people do spend lots of time helping, but due to the experience of doing so over a long period they tend to know that answering a specific question is often not the best option - most of the time it is better to work out what overall problem is trying to be solved (and provide an alternative method), rather than fix the method that is currently being focussed on.

    I've lost count of the amount of times I've seen people asking for help over a period of weeks for fixing a set of methods they are using (which don't actually end up solving the problem), and it turns out all they really needed was a few lines of code.

    A good example of this is dealing with ' characters in SQL statements. Some people end up with lots of code that seems to work in their tests, but then fails in a way they can't understand. Those of us with relevant experience know that the proper solution (Parameters) gives you simpler code that is much more reliable, and solves lots of other problems too.

    If you are doing some home improvements then a hammer is a very useful tool, but no matter how comfortable you are using a hammer, it is sometimes better to use a screwdriver or saw instead. If somebody with lots of experience suggests a different tool, then it's probably worth listening.

  18. #18

    Thread Starter
    Hyperactive Member
    Join Date
    Dec 2013
    Posts
    320

    Re: Anti Unmask Password Char On TextBoxes

    baka, let me put it this way, you are at your desk right now, in front of your pc.
    I'm right here, ready to send my app to your pc, done, I sent it, I run my app on your pc...
    done! ...form1 shows up, time to enter password... now lest pause right here for a moment...
    on this stage you will see me typing some text into the textbox field, since is masked with asterisks, you won't be able to see it.
    after entering the asigned text into the textbox field, it will trigger form1 to hide and form2 will shows up. now, whats wrong with that?
    of course nothing! all I want to come out with, is with a way that if you decide to check what am typing in the textbox, you won't be able to see it.
    I also posted the code on how to do that in post #1. then as per some one to check the content of my app with some tool, it wont, there is no msgbox warning,
    the password is also encrypted before compilation, so any atempt on getting that password will be useless. bu the simples and easy way is to use the second line of code
    which I also posted on post #1.

  19. #19

    Thread Starter
    Hyperactive Member
    Join Date
    Dec 2013
    Posts
    320

    Re: Anti Unmask Password Char On TextBoxes

    si_the_geek, I'm calm, message understood.

  20. #20
    Fanatic Member
    Join Date
    Dec 2014
    Posts
    832

    Re: Anti Unmask Password Char On TextBoxes

    problem:
    two people standing in front of a computer. its time to login, but we don't want person "B" to see while person "A" do the login.

    problems:
    1. person "B" could have started a keylogger/capture program.
    2. person "B" is eagerly watching and not letting person "A" be alone, how to type keyboard, if he's looking

    -------------------------------
    solution 1:
    1-time-passwords with key/password. each key is unique and can only be used once.
    no need to mask anything here.

    solution 2:
    usb with a identifier. you need to plugin the usbstick, otherwise the program dont work.

  21. #21
    Super Moderator Shaggy Hiker's Avatar
    Join Date
    Aug 2002
    Location
    Idaho
    Posts
    34,320

    Re: Anti Unmask Password Char On TextBoxes

    In this scenario, I wonder if it wouldn't be better to spoof your own password? It seems like you have control of the program. Showing the user the password being entered (as asterisks, or whatever) could be pretty nice for the end user experience, but it doesn't seem all that necessary to the program. The program will be receiving whatever you are typing (I assume), so why not have it store what you ACTUALLY type into an internal buffer, then have some random characters put into the textbox? The internal buffer is what you'd use, while if the user did get the 'password', they'd be feeling quite clever up until it doesn't work.
    My usual boring signature: Nothing

  22. #22

    Thread Starter
    Hyperactive Member
    Join Date
    Dec 2013
    Posts
    320

    Re: Anti Unmask Password Char On TextBoxes

    Hey baka.. nice explanation, you just made a thousand words to be only ten.
    sorry to make my questions hard to figured out and hard understanding them.
    and yes baka, I was already aware of keylogging, I mentioned that on post #3
    "I also would like to add some other way to also prevent keylogging."
    as for your solution 2... that won't work since the app need to be sent remotely.

    Now Shaggy Hiker got me thinking, I think that could be a good tip to try...

  23. #23
    Fanatic Member
    Join Date
    Dec 2014
    Posts
    832

    Re: Anti Unmask Password Char On TextBoxes

    hmm. so you are doing the login remotely?
    you need to specify how. if its remotely then why you need a textbox? some kind of remote assistance?

    then:
    person A is sitting in location 1 talking to person B that is in location 2.
    person A need to login to a computer that person B have in location 2.

    question:
    how do person A see the monitor of person B?

  24. #24
    Fanatic Member
    Join Date
    Dec 2012
    Posts
    783

    Re: Anti Unmask Password Char On TextBoxes

    Passwords should not be sent over the Internet unencrypted. If I was on the receiving end, it would be a simple matter to start a Packet Sniffer and grab the password as it is sent. The normal way to handle passwords is to hash it first, and then send the hash to be compared to a hash on the receiving end. Dynamic bytes added by an algorithm on both ends can add to the difficulty of hacking the hash if it gets intercepted.

    J.A. Coutts

  25. #25

    Thread Starter
    Hyperactive Member
    Join Date
    Dec 2013
    Posts
    320

    Re: Anti Unmask Password Char On TextBoxes

    Hi couttsj, thanks for your comment, but packet sniffer have no use over my encrypted password, as the password is already encrypted in the compiled file.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Featured


Click Here to Expand Forum to Full Width