What's the safest way to enter information on a website?

Question

On-screen keyboard you have to work with a mouse? Copy and paste? Type a string of random characters and then delete the extraneous ones? Something else?

Answer 1

On-screen keyboards are not a solution as any key logger may even capture screenshots, which defeats even randomized on-screen keyboards. (source)

The bottom line is simply this: you should never assume there's a way to bypass keystroke loggers. They could easily be more sophisticated than your attempts to work around them.

By far the only sure way to deal with keystroke loggers is simply not allow your machine to be compromised in the first place. (source)

Probably one of the best ways to protect yourself is to be sure that whatever you are running is free from loggers. For example, you could use a live DVD (easy and cheap).

There is an upcoming "kickstarter" product that seems to simplify that process by embedding a micro board inside a keyboard, which can be booted instead the current OS or in a container inside the current OS:

SilentKeys is a Plug'n'Play USB keyboard that protects you both off-line and on-line. Keep control over your privacy and safeguard your computer from viruses, snooping and hackers. Protect your keystrokes from key-loggers. Go anonymous at the push of a button. Encrypt your data and safeguard access to Paypal, Facebook, bank as well as all your on-line accounts and credentials.

https://www.kickstarter.com/projects/preevio/silentkeys-a-keyboard-that-protects-your-privacy-a

I'm still not familiar enough with that project so I can not recommend it nor explain more details about it. I just thought its interesting (I'm not in any way related to that project).

NOTE: My answer is based on the idea that you are looking for a solution in which you can't trust the computer which you are using (like in a public place). If you are talking about your own personal computer, then I would strongly suggest you to use Linux and install tripwire. That piece of software will notify you if any of your OS files is modified in any way. It may not be 100% effective against in-memory key-loggers but it gives you a greater knowledge over what is being modified in your system without your consent.

Update (2019)

Some years have passed and re-reading my answer, I feel that I'm missing some important points:

There are software and hardware keyloggers. Software keyloggers can be deployed remotely to any device (not just public computers), so your best protection (which is not 100% safe) is to keep your devices updated, validate downloads checksum, do not install anything that you don't know, avoid using devices or connecting into networks that you don't own or you don't trust, etc.

If your device has an infected BIOS, and if we assume that the malware is able to "see" everything you input, none of the methods suggested in this answer would keep you safe.

Now, about hardware keyloggers, those are more difficult to deploy. Even the "DVD" method won't protect you if the keyboard has been tampered. If we go deeper into hardware, we can talk about the possibility of using malicious chips which could potentially steal information.

Bottom-line: Hackers get more creative with the years so the best thing is always assume you may be hacked and your passwords stolen. Have a backup plan and don't keep everything in the cloud.

Answer 2

If a keylogger is installed, you're lost. If this is the case, you can be pretty certain that some other software tool is installed that can monitor your computer.

You can secure some logins however, using a Yubikey or similar devices. They can generate unique one time passwords. This can only work if the website or program works with Yubikey.

The Yubikey can store two passwords or password methods. You can choose what you need. For the second password you could store a static string, long and difficult to type and guess. You could use this to add to any password you want, like this:

}v@+z5JLWf0'=y,6z?"~4FQ-Z]q7@Op<=yDr_^Xn

Then for each website login, you can use a unique short password, easy for you to remember, then this long string. The Yubikey acts like a keyboard, enters the string. But does this protect against keyloggers? I don't think so.

Besides that, this will not allways work well, as some sites disallow certain characters, or only allow 10 or 20 characters etc. Better use Lastpass for this, which does the same, but then with a unique password suited for that website. You can protect your Lastpass account with Yubikey! Both are tools useful for different purposes.

Answer 3

My knowledge is out of date, but several years ago I worked at a U.S. agency that wanted to understand how to maximize security for end users using PCs that were not under the agency's control, e.g. for some end user who logs from their home, from their employer, or from the public library.

Most popular at that time was Zeus, and although Zeus had a keylogger, in practice keylogging is extraordinarily tedious because the vast majority of keystrokes are uninteresting — an attacker wants to steal credit cards/passwords/SSNs, not read your IMs. Multiply this process over tens of thousands of infected nodes, and you can see why attackers might not be keen to deploy keyloggers.

Zeus was able to infect the IE process memory and could hook into form submission so that it could read values right out of an HTML form, even if the site was using TLS. In fact, it could be configured to capture only forms sent over TLS, resulting in a much higher concentration of valuable data when compared to keylogging everything the user typed.

The upshot? The agency I worked at had several different virtual keyboards and virtual pin pads deployed across its different properties, and every single one of them was easily defeated by Zeus's form logger. As I said above, my knowledge is dated; I can only assume that crimekits are even more effective now.

Answer 4

If you think that the probability that a computer has a keylogger is so high that you feel the need to play games to fool it, you should not be entering any passwords on that computer. This is a game you will most likely loose, so you better not play it.

With that said, if I was in some kind of emergency and just had no option but checking my mail on a public computer, I would do something along the lines of your last suggestion, mixing input with keyboard and mouse. Also, I would use two factor authentication if that is an option.

Then, as soon as I got to a safe computer I would change my password just in case. Because if the computer was infected my password would most likely be stolen now anyway.

If I developed malware, I would not bother logging keystrokes. Instead I would hook into the browsers and just read the content of all forms before they are submitted. That way I would conveniently get username, password and site all at once. No fancy typing is going to help against that...

Answer 5

Working with mouse with on-screen keyboard? There are keyloggers who can capture coordinates of mouse-clicks. Yet, there are also keyloggers who just capture screenshots. So that method ain't really bulletproof. It's called screen-capturing.

Copy and paste? Nope. Some (imho, sophisticated) malware can even extract what you've copied from memory. Besides that even some simple keyloggers have also the ability to do form-logging, that way everything that gets typed or pasted in an inputbox, is captured. No matter how it got there (by on-screen keyboard, just typing, or pasting) it's caputred.

Type random string and delete characters? Keyloggers also capture backspace, arrow-keys,... And also, mention form-logging.

What should I do then? Well, first of all, make sure you don't get infected. Anyway, there are special security-browsers which use a kind of sandbox system. SafeZone of Avast is such an example. It's a special kind of browser it protect your keystrokes by sending them direct to that browser. And because it is a sandbox, other malware like e.g form-loggers will have hard-times extracting info from it. SafeZone even has a protection against screen-capturing. But mention, even SafeZone can't always protect against hardware key-loggers.

If you're in a kind of public place. You can use a USB-stick with a Linux LiveOS on it. A LiveOS made for security. Tails or QubesOS is suited for this. QubesOS also works with a sophisticated sandbox-/vm-mechanism. However, also this won't protect against hardware-keylogging.

So, security-/sandbox-browsers like SafeZone seem to get the closed to what you want. A relative safe way to type passwords/info in browsers.