I have never used Roboform but I did just visit their site briefly and it referenced entering a master password. If you have configured Roboform not to use a master password then I can only assume that your Roboform password file is not encrypted and would be easy pickings for a trojan to steal. Look, I'm not saying that Roboform is or isnt a good idea. But the idea that you can live with a trojan keylogger on your machine and not worry about it is delusional. Once its on your machine you are likely screwed.
Your "assumption" of how roboform operates is incorrect. And please show where I mentioned that I could "live" with a trojon loaded on my computer. st
Please explain how it operates then. PCMag (http://www.pcmag.com/article2/0,1895,1632860,00.asp) says this "RoboForm encrypts and stores data locally, protecting it with a master password. Don't lose that master password, as there's no "back door" to recover it. The first time you use RoboForm in a given Windows session, it demands the master password. It won't ask again until you log off. " Sure sounds like it asks you to enter a password which the keylogger would get a copy of. Here is what you said in response to discussing the problem of a keylogger stealing passwords leading to account compromises. "Roboform or any like program addresses the above without the hassle of a token device." Having Roboform does not mitigate having a keylogging trojan running on your system.
Why, are you unable to figure it out on your own? But is does prevent the keylogger from learning the password, as no keystrokes were used. Why is that so difficult for you to comprehend? If anyone is so stupid as to not use preventive measures against keyloggers, worms, or trojans, then as a famous philosopher once said, stupid is as stupid does. Go cower in your dark corner and fear the worst. I have work to do.
Oh I see, serious discussion is not your forte. Yea, instead of the keylogger getting one of your passwords (IB account), you give them all of your passwords at once. Brillant. I can see where this is going, you're more interested in arguing semantics then the real issue because you know you're wrong. Maybe next time think before you post a stupid flip answer like using Roboform is the answer to keyloggers...
Challenge-response systems in the form of secure device (or paper single-use password list with confirmation codes) provide far better security than other methods suitable for public use. The customer can simply secure the account very reliably by logging out. When customer has disconnected the attacker needs userid, password and physical possession of secure device + PIN in order to make successful attack. Real-time or man-in-the-middle attacks against connected TWS or browser are very difficult to perform. Challenge-response systems provide great flexibility. You really do not need to be absolutely sure about the security of the computer you use. Without challenge-response systems you really need to be computer expert and also very careful to provide good security. You should use separate machine (preferably linux) for trading which you use for nothing else. No browsing, no e-mails, no usage of any other programs than trading. How many of us have such machines? When get out of the house you should have own laptop for trading with you if you want connect safely. In case your computer breaks down you should not use any other computer. With challenge-response systems you can practically use any computer without excessive risks. Just logout and any information gathered is useless for the attacker without possession of secure device.
I m not an expert but a well designed Trojan doesn¢t only record keystrokes but also the message queue of the operating system etc. so when an application (for example roboform) communicates with internet explorer the password passed to the forms are also intercepted by the Trojan.
Wrong on all counts. You began with ASSumptions followed by a bold faced lie. Any serious discussion ended there. st
You are correct. However, the passwords would be encrypted. I am not saying that security is not warranted. My point was, and still is, for the AVERAGE trading account, the probability of anyone trying to crack an encrypted password from a secure system is quite remote. As someone else wisely pointed out, there is a balance between security and convenience. Treating a $5000 account in the same manner as a $5 million account is a bit overkill for some. Much of this nonsense being posted stems from those who need their hand held due to paranoia. Surf safe!!! http://blinkynet.net/comp/safe.jpg st
Roboform (or whatever software you use) has to enter passwords in the clear when it fills out fields in IE (or whatever app). It cannot enter encrypted passwords - that doesn't even make sense. Please stop spouting off nonsense when you clearly don't know what you are talking about.