A clever little trick to protect your passwords.
November 23, 2006 10:57 AM   Subscribe

The link goes to Astalavista; To read the article, click on the .pdf abstract
In a nutshell--the keylogger registers everything typed; your browser only recognizes characters typed into the text entry fields.
posted by weapons-grade pandemonium at 10:58 AM on November 23, 2006

i'm still worried.
posted by casconed at 11:06 AM on November 23, 2006

here is the PDF, which you can read without clicking through a pop-up ridden 'haxor' site.

The technique:

Navigate to the login page desired;
Type in the userid;
for (each pwd character){
Give focus to anywhere but the pwd field;
Type some random characters;
Give focus to the pwd field;
Type the next character of the pwd
}
Submit;
posted by delmoi at 11:09 AM on November 23, 2006 [1 favorite]

That's clever. But this isn't that tough. You can also use charmap to type your password. Or build it out of letters copied and pasted from metafilter. Or any number of ways that would take equally sophisticated logging to beat.
posted by aubilenon at 11:09 AM on November 23, 2006

W49ow56, th454at's a really5 ne4at, simpleQ tri659ck! Th840IEWZls, MeFi7!
posted by CheeseburgerBrown at 11:12 AM on November 23, 2006

The trouble with this technique is that the keylogger still gets all your credentials, just with quasirandom characters mixed in.

In the rare occasion I've used one of those computers for something I had to log into, I've been known to copy-and-paste my credentials into the field one character at a time from other text sources. That's an improvement on this in that you never type any of the characters of your credentials, though it is a little slow.

The other problem is that keyloggers are not the only form of spyware that a business in control of the machine can install. I've written extensions for IE as well as wrappers for the IE control and I know how easy it is; it would barely be the work of an afternoon to create something that looked indistinguishable from off-the-rack IE but captured everything that was typed into it, by any means.
posted by George_Spiggott at 11:13 AM on November 23, 2006

Modern keyloggers log all clipboard actions.
posted by Jairus at 11:25 AM on November 23, 2006

Has anyone come up with a dynamic password system, i.e., a password that changes each time, according to an algorithm which both the user and website recognize? It would be more difficult to hack an algorithm than a static password.
posted by weapons-grade pandemonium at 11:29 AM on November 23, 2006

I've heard some keyloggers record the clipboard too, so copying and pasting one character at a time might still be insecure.

Personally I wouldn't trust a machine that might have a keylogger unless I could stick in a LiveCD and run from that.
posted by edd at 11:31 AM on November 23, 2006

I've always thought the thing to do would be to replace typed password fields with 'graphical character selectors' like those found in video games.
posted by delmoi at 11:36 AM on November 23, 2006

This won't work forever. They can just gather per-window keylogging instead. Every window (a handle is readily available) could be given its own output.
posted by jon_kill at 11:38 AM on November 23, 2006

Cool RSA fob, chunking express.
posted by weapons-grade pandemonium at 11:41 AM on November 23, 2006

I think this rules as far as log in authentication schemes go..
posted by dminor at 11:55 AM on November 23, 2006

Maple story ( a free MMO side scroller game) had such a huge problem with keyloggers that they instituted a PIN that's set up when your game account is created. When you sign in, you type your password as normal, but the PIN gets entered on an onscreen keyboard that randomly maps numbers to various keys. It was just a short time after this innovation that the MS keylogger started taking screenshots as well. Ain't nothin' safe.
posted by boo_radley at 12:05 PM on November 23, 2006

This is definitely a major issue to be concerned about. I see a lot of internet cafes opening in my neighborhood. They claim to be small businessmen wanting to set up roots in the community, but I know as soon as they get their hands on my gmail password, they'll pack it up in the night and run for Mexico!

Seriously, all these methods seem pretty good, but if you are that security-conscious, maybe just change your password after every login at a non-safe computer?
posted by drjimmy11 at 12:11 PM on November 23, 2006

AskMe question on this.
posted by signal at 12:19 PM on November 23, 2006

boo_radley: oh, ING direct does the same thing with their PIN
posted by aubilenon at 12:20 PM on November 23, 2006

what I do is just bring a heavy lead pipe with me to the internet cafe, and bash whatever computer i was just using into pieces before i leave
posted by wumpus at 12:51 PM on November 23, 2006 [2 favorites]

A recent AskMe lead me to Boothbox, a live CD containing nothing but Firefox - if more internet cafes switched over to this i) users would be a lot more secure and ii) the cafe admins would have much less work to do. Worried about keyloggers? Simply reboot between users.

Graphical logins (and kitten authorisation) also fascinate me.
posted by blag at 2:07 PM on November 23, 2006

Live CDs do nothing to protect against hardware keyloggers like keyghost.

And this technique of changing focus won't help much against keyloggers that log mouse-clicks. The log will have something like: "asdf<click>pa<click>fdsa<click>s<click>qewr<alt-tab>sw<click>b34<click>ord". It might slow someone down a bit, making you less of a target, but if someone is after you specifically, it will only help a little.

If someone is worried about keyloggers that much, I would suggest either only using computers you own, or some sort of token system like RSA SecureID.
posted by fings at 3:03 PM on November 23, 2006

Also: S/Key
posted by event at 3:38 PM on November 23, 2006

Has anyone come up with a dynamic password system, i.e., a password that changes each time, according to an algorithm which both the user and website recognize?

Etrade has a device that does this, right? I have a friend who works for a bank and he has a new password generated each time he logs in. He carries around a device that has a lcd display on it and the current password is displayed.
posted by tomplus2 at 4:01 PM on November 23, 2006

And this technique of changing focus won't help much against keyloggers that log mouse-clicks. The log will have something like: "asdfpafdsasqewrswb34ord".

What if you copied a large string and right-click-deleted the nonsense text out from the letters you want?
posted by dreamsign at 4:07 PM on November 23, 2006

Personally I wouldn't trust a machine that might have a keylogger unless I could stick in a LiveCD and run from that.

You're assuming someone hasn't slipped a hardware keylogger onto the box.
posted by eriko at 4:08 PM on November 23, 2006

I use a tablet PC :-)
posted by -harlequin- at 5:00 PM on November 23, 2006

Your passwords are never totally safe in an internet cafe. Anyone could be shoulder surfing, possibly with a security camera.
posted by Mitrovarr at 6:00 PM on November 23, 2006

If you access things important enough for the above to be a concern, don't use internet cafes.

Pretty simple.
posted by sindark at 8:46 PM on November 23, 2006

The SecurID key fobs that chunking and (I assume) tomplus2 mention are pretty popular. They do have some weaknesses, but still, they seem to be the most common "more secure than a simple password but can stil be carried in your pocket" login system for people like sysadmins.

(RSADSI bought SecurID some years back; as far as I can tell they haven't updated the keyfob technology much from what it was before.)
posted by hattifattener at 10:01 PM on November 23, 2006

Fair point about the liveCDs, but you can then use tricks like keeping passwords in an encrypted bit of your CD, so they can get the password to your liveCD but not your actual accounts (as you can then copy and paste the passwords since it won't be able to see inside your clipboard if it just sits between the keyboard and PC).

But Mitrovarr and sindark are right.
posted by edd at 1:06 AM on November 24, 2006

Seriously, all these methods seem pretty good, but if you are that security-conscious, maybe just change your password after every login at a non-safe computer? - drjimmy11
If you get to it before the bad guys do.

The only way to have relative security at cafes is to use the ones where they don't supply the computers, you bring your own (per -harlequin- above) and just use their internet connection. This also has hazards, including visual spying and network sniffing, but the set of possible attacks is so reduced that with care you have a good chance of avoiding all of them.

I'd like to point out too, this whole scenario of using someone else's computer is a variation of, and in essence identical to, the case of so-called "Trusted Computing". Once you allow some other party to have ultimate control over hardware or software at lower levels of the system, you cannot have any strong assurance that the system is not betraying you.
posted by jam_pony at 1:58 AM on November 24, 2006

My husband and I have been traveling in South America for the past 4 months and have used many different internet cafes to access the internet. We did bring our laptops, but not all internet cafes will let you plug into their ethernet, as that messes with their accounting software. Wifi is not as ubiquitous around here as it is in the states, so if you are telling me not to use an internet cafe, then you're just saying, don't use the internet. Well, that's not an option. Also, computers down here are *really freaking* expensive, and so for people who are not rich (most people down here), their only access to computers and the internet is using the internet cafes. I think that most cafes wipe and reinstall all their computers each night, but I wouldn't count on it. But, back to the point, this isn't just a theoretical problem for a lot of people.
posted by blmurch at 6:08 AM on November 25, 2006

The SecurID keyfobs have been around for a long time; I had one about six years ago. They're neat, but you have to have the appropriate authentication manager - they're not yet available for logging into your webmail, etc.
posted by etoile at 8:50 PM on November 25, 2006

Since it's been missed...

S/KEY is a one-time password system that doesn't require an expensive keyfob, can be freely implemented on all Linux/Unix/BSD systems (and anything else supporting SASL), and was designed specifically for use on untrusted systems/networks. Even if your password is captured, it doesn't matter, because your password will be different the next time you log in, and it's impossible to derive your next password even from a full history of your past ones.

The problem? It needs to be implemented server-side, and it rarely (if ever) is.
posted by CrayDrygu at 9:26 PM on November 26, 2006