Workaround for password-stealing keyloggers?
September 13, 2010 7:31 AM   Subscribe

Regarding this, would spanning multitask windows and or cut-n-paste be an effective foil to keyloggers?

I occasionally use poorly-secured computers to log in and check email and my various balances, especially when on road trips. I read the linked question and the suggestion to watch out for keyloggers, and the first solution to come to mind was to type in a letter of the password, change tabs, type in a url of something else, go back to the password for a few more letters, another URL in another tab, etc. Would this actually foil keyloggers? What about cut and pasting letters from various web pages to make the password? Or is this paranoia anyway?
posted by notsnot to Computers & Internet (8 answers total) 1 user marked this as a favorite
This probably wouldn't help at all, since a keylogger can focus on a specific field of specific web pages (e.g., the password field of HotMail or Gmail). I'd generally recommend not ever logging in to web sites or accounts with sensitive data on public computers.

Also, mildly relevant, XKCD has a comic out on password reuse.
posted by jasonhong at 7:52 AM on September 13, 2010

That may hinder really stupid keyloggers, but, if you can't trust the computer you're working with, how would you know if it's only a really stupid keylogger rather than something that'll just read the password off the browser field when you send it, or off the network stack, etc.?
posted by chengjih at 7:54 AM on September 13, 2010

See, this is why I asked the question. I guess I had assumed that only low-level keyloggers, ones that literally read the strokes off the keyboard, were the only ones that could survive in the wild without notice. THanks!
posted by notsnot at 7:58 AM on September 13, 2010

Try this article and the linked Microsoft research paper.

If you're really concerned, though, you might want to look into USB password storage
posted by d. z. wang at 8:05 AM on September 13, 2010

I seem to recall that when keyloggers first became a threat banks reacted by having an on-screen keypad where you'd have to click on the numbers to enter a PIN or something. The keyloggers reacted by simply taking a screenshot of the region of the screen that the mouse was over whenever it was left-clicked, which pretty much torpedoed that plan as well as yours.

As to surviving in the wild, the term there is rootkit: if you put your hooks deep enough into the kernel then you can have your software conceal its very existence from other programs that are looking for it. For example, you intercept the system call for getting a list of running processes and remove your keylogger from the returned list. When a machine is afflicted in this way it's kind of like being in the Matrix -- there is no way to be sure that what any code thinks is happening is really happening, because the kernel is the ultimate arbiter of resources. That is why it's often said that a fresh reinstall from cdrom is the only real way to be sure that everything is gone if you suspect a rootkit, although there are some programs like RootkitRevealer that claim the ability to detect certain instances of known rootkits. But at best that's a cat/mouse situation because rootkit authors could always just change their code to not be susceptible to such tactics.
posted by Rhomboid at 8:21 AM on September 13, 2010

banks reacted by having an on-screen keypad where you'd have to click on the numbers to enter a PIN or something

Ing still does this. And HSBC makes you type in your password on an onscreen keyboard. So I guess they still feel it has some worth.
posted by smackfu at 9:57 AM on September 13, 2010

You could try typing your password backwards. For example, instead of typing p-a-s-s-w-o-r-d, type d - left arrow - r - left arrow - o - left arrow - w - etc.

However, as the others alluded to, if you can't trust the computer, you will never be completely secure. There's many, many other ways your password might be collected other than key loggers.

I'd suggest trying to avoid untrustworthy computers (ex: check email on your phone). However, if that's not an option, I'd suggest creating dummy accounts to log-in with. Since you said you check email occasionally, it would be worth it to create a different email account ( and forward all your email to that account. Use a completely different password for that account. When you know you won't be using it often, turn off message forwarding. You can also change the password every couple weeks or months in case it has been compromised, or create a completely new account every year to forward your messages to.

For accounts you can't forward to (ex: banks), make a note of when you logged into an untrustworthy computer and change your password as soon as you return to a trusted computer. Password loggers are almost always going to be automated, so even adding a '2' or other small change to your password should prevent access.

Most importantly, as noted in XKCD, never use the same password for a site. Always make them unique.
posted by Kippersoft at 11:13 AM on September 13, 2010

I forgot to mention: if your bank offers it, see if you can get a two-factor authentication setup, where you'd have some sort of physical token that's required to authenticate you (most obviously, it's a fob that shows a continually changing number that you also have to enter; less obviously, it's your cell phone, and the bank can text you a number to enter when you're logging in). Two-factor authentication will defeat keyloggers and such.

It should be noted that two-factor authentication, while it will protect you against passive attacks that try to sniff the password for later use, won't protect you against an active attack, that secretly hijacks your sessions, and, say, transfers your savings account while you think you've logged in to check your balance. Here's Bruce Schneier talking about this sort of scenario.

As others have noted, see if you can do your work on devices you believe to be secure (like your phone for checking email, or your bank's iPhone app, or phoning your bank and actually talking to customer service), rather than anything you suspect may be compromised.
posted by chengjih at 11:59 AM on September 13, 2010

« Older How to write a cheque from a UK bank when I don't...   |   A bunch of roses for the victor. Newer »
This thread is closed to new comments.