Workaround for password-stealing keyloggers?
September 13, 2010 7:31 AM   Subscribe

That may hinder really stupid keyloggers, but, if you can't trust the computer you're working with, how would you know if it's only a really stupid keylogger rather than something that'll just read the password off the browser field when you send it, or off the network stack, etc.?
posted by chengjih at 7:54 AM on September 13, 2010

Try this article and the linked Microsoft research paper.

If you're really concerned, though, you might want to look into USB password storage
posted by d. z. wang at 8:05 AM on September 13, 2010

I seem to recall that when keyloggers first became a threat banks reacted by having an on-screen keypad where you'd have to click on the numbers to enter a PIN or something. The keyloggers reacted by simply taking a screenshot of the region of the screen that the mouse was over whenever it was left-clicked, which pretty much torpedoed that plan as well as yours.

As to surviving in the wild, the term there is rootkit: if you put your hooks deep enough into the kernel then you can have your software conceal its very existence from other programs that are looking for it. For example, you intercept the system call for getting a list of running processes and remove your keylogger from the returned list. When a machine is afflicted in this way it's kind of like being in the Matrix -- there is no way to be sure that what any code thinks is happening is really happening, because the kernel is the ultimate arbiter of resources. That is why it's often said that a fresh reinstall from cdrom is the only real way to be sure that everything is gone if you suspect a rootkit, although there are some programs like RootkitRevealer that claim the ability to detect certain instances of known rootkits. But at best that's a cat/mouse situation because rootkit authors could always just change their code to not be susceptible to such tactics.
posted by Rhomboid at 8:21 AM on September 13, 2010

banks reacted by having an on-screen keypad where you'd have to click on the numbers to enter a PIN or something

Ing still does this. And HSBC makes you type in your password on an onscreen keyboard. So I guess they still feel it has some worth.
posted by smackfu at 9:57 AM on September 13, 2010

You could try typing your password backwards. For example, instead of typing p-a-s-s-w-o-r-d, type d - left arrow - r - left arrow - o - left arrow - w - etc.

However, as the others alluded to, if you can't trust the computer, you will never be completely secure. There's many, many other ways your password might be collected other than key loggers.

I'd suggest trying to avoid untrustworthy computers (ex: check email on your phone). However, if that's not an option, I'd suggest creating dummy accounts to log-in with. Since you said you check email occasionally, it would be worth it to create a different email account (notsnot-on-the-go@gmail.com) and forward all your email to that account. Use a completely different password for that account. When you know you won't be using it often, turn off message forwarding. You can also change the password every couple weeks or months in case it has been compromised, or create a completely new account every year to forward your messages to.

For accounts you can't forward to (ex: banks), make a note of when you logged into an untrustworthy computer and change your password as soon as you return to a trusted computer. Password loggers are almost always going to be automated, so even adding a '2' or other small change to your password should prevent access.

Most importantly, as noted in XKCD, never use the same password for a site. Always make them unique.
posted by Kippersoft at 11:13 AM on September 13, 2010

This thread is closed to new comments.