Comments on: A clever little trick to protect your passwords.

A clever little trick to protect your passwords.

weapons-grade pandemonium — Thu, 23 Nov 2006 10:57:11 -0800

How to log in from an internet café without worrying about keyloggers. (.pdf)

By: weapons-grade pandemonium

weapons-grade pandemonium — Thu, 23 Nov 2006 10:58:11 -0800

The link goes to Astalavista; To read the article, click on the .pdf abstract In a nutshell--the keylogger registers everything typed; your browser only recognizes characters typed into the text entry fields.

By: casconed

casconed — Thu, 23 Nov 2006 11:06:20 -0800

i'm still worried.

By: delmoi

delmoi — Thu, 23 Nov 2006 11:09:13 -0800

here is the PDF, which you can read without clicking through a pop-up ridden 'haxor' site. The technique:


Navigate to the login page desired;
Type in the userid;
for (each pwd character){
  Give focus to anywhere but the pwd field;
  Type some random characters;
  Give focus to the pwd field;
  Type the next character of the pwd
}
Submit;

By: aubilenon

aubilenon — Thu, 23 Nov 2006 11:09:48 -0800

That's clever. But this isn't that tough. You can also use charmap to type your password. Or build it out of letters copied and pasted from metafilter. Or any number of ways that would take equally sophisticated logging to beat.

By: CheeseburgerBrown

CheeseburgerBrown — Thu, 23 Nov 2006 11:12:22 -0800

W49ow56, th454at's a really5 ne4at, simpleQ tri659ck! Th840IEWZls, MeFi7!

By: George_Spiggott

George_Spiggott — Thu, 23 Nov 2006 11:13:34 -0800

The trouble with this technique is that the keylogger still gets all your credentials, just with quasirandom characters mixed in. In the rare occasion I've used one of those computers for something I had to log into, I've been known to copy-and-paste my credentials into the field one character at a time from other text sources. That's an improvement on this in that you never type any of the characters of your credentials, though it is a little slow. The other problem is that keyloggers are not the only form of spyware that a business in control of the machine can install. I've written extensions for IE as well as wrappers for the IE control and I know how easy it is; it would barely be the work of an afternoon to create something that looked indistinguishable from off-the-rack IE but captured everything that was typed into it, by any means.

By: Jairus

Jairus — Thu, 23 Nov 2006 11:25:50 -0800

Modern keyloggers log all clipboard actions.

By: weapons-grade pandemonium

weapons-grade pandemonium — Thu, 23 Nov 2006 11:29:43 -0800

Has anyone come up with a dynamic password system, i.e., a password that changes each time, according to an algorithm which both the user and website recognize? It would be more difficult to hack an algorithm than a static password.

By: edd

edd — Thu, 23 Nov 2006 11:31:31 -0800

I've heard some keyloggers record the clipboard too, so copying and pasting one character at a time might still be insecure. Personally I wouldn't trust a machine that might have a keylogger unless I could stick in a LiveCD and run from that.

By: chunking express

chunking express — Thu, 23 Nov 2006 11:33:40 -0800

wgp, check out the RSA key fob.

By: delmoi

delmoi — Thu, 23 Nov 2006 11:36:07 -0800

I've always thought the thing to do would be to replace typed password fields with 'graphical character selectors' like those found in video games.

By: jon_kill

jon_kill — Thu, 23 Nov 2006 11:38:32 -0800

This won't work forever. They can just gather per-window keylogging instead. Every window (a handle is readily available) could be given its own output.

By: weapons-grade pandemonium

weapons-grade pandemonium — Thu, 23 Nov 2006 11:41:45 -0800

Cool RSA fob, chunking express.

By: dminor

dminor — Thu, 23 Nov 2006 11:55:30 -0800

I think this rules as far as log in authentication schemes go..

By: boo_radley

boo_radley — Thu, 23 Nov 2006 12:05:29 -0800

Maple story ( a free MMO side scroller game) had such a huge problem with keyloggers that they instituted a PIN that's set up when your game account is created. When you sign in, you type your password as normal, but the PIN gets entered on an onscreen keyboard that randomly maps numbers to various keys. It was just a short time after this innovation that the MS keylogger started taking screenshots as well. Ain't nothin' safe.

By: drjimmy11

drjimmy11 — Thu, 23 Nov 2006 12:11:39 -0800

This is definitely a major issue to be concerned about. I see a lot of internet cafes opening in my neighborhood. They claim to be small businessmen wanting to set up roots in the community, but I know as soon as they get their hands on my gmail password, they'll pack it up in the night and run for Mexico! Seriously, all these methods seem pretty good, but if you are that security-conscious, maybe just change your password after every login at a non-safe computer?

By: signal

signal — Thu, 23 Nov 2006 12:19:20 -0800

AskMe question on this.

By: aubilenon

aubilenon — Thu, 23 Nov 2006 12:20:21 -0800

boo_radley: oh, ING direct does the same thing with their PIN

By: wumpus

wumpus — Thu, 23 Nov 2006 12:51:10 -0800

what I do is just bring a heavy lead pipe with me to the internet cafe, and bash whatever computer i was just using into pieces before i leave

By: blag

blag — Thu, 23 Nov 2006 14:07:57 -0800

A recent AskMe lead me to Boothbox, a live CD containing nothing but Firefox - if more internet cafes switched over to this i) users would be a lot more secure and ii) the cafe admins would have much less work to do. Worried about keyloggers? Simply reboot between users. Graphical logins (and kitten authorisation) also fascinate me.

By: fings

fings — Thu, 23 Nov 2006 15:03:43 -0800

Live CDs do nothing to protect against hardware keyloggers like keyghost. And this technique of changing focus won't help much against keyloggers that log mouse-clicks. The log will have something like: "asdf<click>pa<click>fdsa<click>s<click>qewr<alt-tab>sw<click>b34<click>ord". It might slow someone down a bit, making you less of a target, but if someone is after you specifically, it will only help a little. If someone is worried about keyloggers that much, I would suggest either only using computers you own, or some sort of token system like RSA SecureID.

By: event

event — Thu, 23 Nov 2006 15:38:02 -0800

Also: S/Key

By: tomplus2

tomplus2 — Thu, 23 Nov 2006 16:01:00 -0800

Has anyone come up with a dynamic password system, i.e., a password that changes each time, according to an algorithm which both the user and website recognize? Etrade has a device that does this, right? I have a friend who works for a bank and he has a new password generated each time he logs in. He carries around a device that has a lcd display on it and the current password is displayed.

By: dreamsign

dreamsign — Thu, 23 Nov 2006 16:07:40 -0800

And this technique of changing focus won't help much against keyloggers that log mouse-clicks. The log will have something like: "asdfpafdsasqewrswb34ord". What if you copied a large string and right-click-deleted the nonsense text out from the letters you want?

By: eriko

eriko — Thu, 23 Nov 2006 16:08:15 -0800

Personally I wouldn't trust a machine that might have a keylogger unless I could stick in a LiveCD and run from that. You're assuming someone hasn't slipped a hardware keylogger onto the box.

By: -harlequin-

-harlequin- — Thu, 23 Nov 2006 17:00:35 -0800

I use a tablet PC :-)

By: Mitrovarr

Mitrovarr — Thu, 23 Nov 2006 18:00:36 -0800

Your passwords are never totally safe in an internet cafe. Anyone could be shoulder surfing, possibly with a security camera.

By: sindark

sindark — Thu, 23 Nov 2006 20:46:56 -0800

If you access things important enough for the above to be a concern, don't use internet cafes. Pretty simple.

By: hattifattener

hattifattener — Thu, 23 Nov 2006 22:01:07 -0800

The SecurID key fobs that chunking and (I assume) tomplus2 mention are pretty popular. They do have some weaknesses, but still, they seem to be the most common "more secure than a simple password but can stil be carried in your pocket" login system for people like sysadmins. (RSADSI bought SecurID some years back; as far as I can tell they haven't updated the keyfob technology much from what it was before.)

By: edd

edd — Fri, 24 Nov 2006 01:06:07 -0800

Fair point about the liveCDs, but you can then use tricks like keeping passwords in an encrypted bit of your CD, so they can get the password to your liveCD but not your actual accounts (as you can then copy and paste the passwords since it won't be able to see inside your clipboard if it just sits between the keyboard and PC). But Mitrovarr and sindark are right.

By: jam_pony

jam_pony — Fri, 24 Nov 2006 01:58:44 -0800

Seriously, all these methods seem pretty good, but if you are that security-conscious, maybe just change your password after every login at a non-safe computer? - drjimmy11 If you get to it before the bad guys do. The only way to have relative security at cafes is to use the ones where they don't supply the computers, you bring your own (per -harlequin- above) and just use their internet connection. This also has hazards, including visual spying and network sniffing, but the set of possible attacks is so reduced that with care you have a good chance of avoiding all of them. I'd like to point out too, this whole scenario of using someone else's computer is a variation of, and in essence identical to, the case of so-called "Trusted Computing". Once you allow some other party to have ultimate control over hardware or software at lower levels of the system, you cannot have any strong assurance that the system is not betraying you.

By: blmurch

blmurch — Sat, 25 Nov 2006 06:08:41 -0800

My husband and I have been traveling in South America for the past 4 months and have used many different internet cafes to access the internet. We did bring our laptops, but not all internet cafes will let you plug into their ethernet, as that messes with their accounting software. Wifi is not as ubiquitous around here as it is in the states, so if you are telling me not to use an internet cafe, then you're just saying, don't use the internet. Well, that's not an option. Also, computers down here are *really freaking* expensive, and so for people who are not rich (most people down here), their only access to computers and the internet is using the internet cafes. I think that most cafes wipe and reinstall all their computers each night, but I wouldn't count on it. But, back to the point, this isn't just a theoretical problem for a lot of people.

By: etoile

etoile — Sat, 25 Nov 2006 20:50:38 -0800

The SecurID keyfobs have been around for a long time; I had one about six years ago. They're neat, but you have to have the appropriate authentication manager - they're not yet available for logging into your webmail, etc.

By: CrayDrygu

CrayDrygu — Sun, 26 Nov 2006 21:26:07 -0800

Since it's been missed... S/KEY is a one-time password system that doesn't require an expensive keyfob, can be freely implemented on all Linux/Unix/BSD systems (and anything else supporting SASL), and was designed specifically for use on untrusted systems/networks. Even if your password is captured, it doesn't matter, because your password will be different the next time you log in, and it's impossible to derive your next password even from a full history of your past ones. The problem? It needs to be implemented server-side, and it rarely (if ever) is.