12

The scenario:
We have a login system for a web application that requires a plaintext password and 3 images (from a collection of images that the users select during registration, the images are provided by the site).

A keylogger will catch only the keystrokes and not the selected user images, right?

Is this enough to defeat keyloggers?

Light Flow
  • 304
  • 1
  • 8
  • 3
    yes, requiring non-kb info would curtail attacks that only steal kb-based info. – dandavis Jul 22 '16 at 16:57
  • 4
    @dandavis The problem is that keyloggers are not limited to keyboard-input anymore. They can also capture mouse-positions and screens. – O'Niel Jul 22 '16 at 18:21
  • maybe i'm dumb, but i think key loggers just log keys, hence the name; you describe a broader set of malware than keyloggers alone, which can reside as a usb connector inline with the KB, and those, obviously, don't capture the screen. Keys are much smaller chunks to exfiltrate than screen grabs, especially constant screen grabs. I'm not saying your point is not well-intended / good / reasonable / actionable, just that (strictly speaking) it addresses non-OP concerns. If i ask "Can a pistol take down a building?" and you go on about a cannon, you're not "wrong" per se... – dandavis Jul 22 '16 at 18:29
  • 3
    Why do you care so much? Are you a bank? In that case may I suggest not to use 8-digit pins as password? Keyloggers can only be stopped using something like [Qubes OS](https://www.qubes-os.org/) by the user: just disallow any kind of interprocess communication that is not explicitly authorized by the user, so keyloggers just don't have access to the input meant for other applications. Still it breaks if the keylogger managed to become root. – Bakuriu Jul 22 '16 at 18:56
  • 1
    Why do you need such an ad hoc system? What problem are you trying to solve? – Neil Smithline Jul 22 '16 at 20:30
  • @dandavis In theory you're right, yeah. However, with theory alone the OP ain't helped because in practice there are a lot of keyloggers with the mouse- and screen-feature. We should not expect that the OP is dealing with only "weak" types of keyloggers. – O'Niel Jul 22 '16 at 20:54

3 Answers3

27

Nope. Keyloggers can often also do screen-capturing and mouse-coordinate-logging. So the attacker can still see what image the user selects.

Another kind of two-factor authentication for which the user needs two devices (e.g. laptop and phone) would be more secure. Another good alternative is a Yubikey. A kind of device which generates a pseudo-random password each time. That way the hacker/keylogger can't guess the next password.

O'Niel
  • 2,740
  • 3
  • 17
  • 28
  • Nice answer, are they screen-capturing all the time or only when a mouse click is performed? What if the user selects images only by hovering his mouse over them? Would it be the same? – Light Flow Jul 22 '16 at 15:24
  • 2
    @LightFlow It depends from malware to malware. Each malware-developer makes his malware act otherwise. Some indeed capture each X minutes, other capture it whole the time. Making it hover would IMHO indeed beat 80% of the mouse-capturing because that is only done on mouse-click. However, some keyloggers also screen-capture the whole time. So they'd see the hover. – O'Niel Jul 22 '16 at 15:32
  • 1
    80% is a high percentage, maybe it is worth it then. – Light Flow Jul 22 '16 at 15:39
  • @LightFlow 80% of the mouse-click mechanism. Not 80% of all the keyloggers. – O'Niel Jul 22 '16 at 16:01
  • 1
    This also ruins the ability to log from a cellphone – John Dvorak Jul 22 '16 at 19:56
11

Once the system is infected with malware it is compromised. Anything that is done on that system can be observed so there is no way to allow someone to log in securely from that system just using that system. Period. End of Story.

You might come up with some oddball scheme for something the user has to do as part of the login process that the malware doesn't happen to record but no matter how complex you make things or what you do to try to protect the process on the system it is ultimately all security by obscurity. You are hoping the malware hasn't figured out what you are doing and found a way to gather the information they need to bypass it.

The only way to remain secure is to involve something else they haven't compromised, AKA two factor authentication (TFA). A code from a key fob. A code sent via text message/automated phone call.

Evan Steinbrenner
  • 393
  • 1
  • 7
  • 3
    SMS/phone should now be considered insecure. Hackers have generally figured out how to social engineer duplicate SIM cards from carriers. Hardware tokens are relatively safer, as the attacker needs to physically gain access to your hardware instead of walking in to a random store. – phyrfox Jul 22 '16 at 21:49
  • 5
    SMS/phone certainly can be compromised but it does still qualify as a secondary authentication and outside of a targeted attack by a high level attacker it should still be relatively secure and more importantly generally accessible for your users. It isn't going to replace the two different RSA securid fobs I've got from work but it is generally good enough for a random website or even Google and is far better than nothing at all. – Evan Steinbrenner Jul 22 '16 at 21:54
  • I'd like to support @phyrfox view on SMS. Most of the recent celebrity incidents where their social media accounts have been compromised was through the avenue of social engineering carriers. – Iraklis Jul 23 '16 at 11:33
  • ... and a celebrity getting their social media account hacked certainly is a targeted attack. I acknowledge that it is vulnerable to things like that but for your average Joe it is far better than no secondary factor and is a pretty accessible option. If you are a celebrity you need to be more vigilant about your security and that is part of what comes with that fame. You aren't going to get everyone to use that same level of security. – Evan Steinbrenner Jul 25 '16 at 17:22
2

Would a password combination of images be stronger for users login regarding keyloggers?

Yes, it would be stronger... a little bit. That is not saying much.

A keylogger will catch only the keystrokes and not the selected user images, right?

If you want to be technical, a keylogger logs keys. In the real world, many "keyloggers" also log things other than keys. See these answers:

Can I protect against keylogging by using the mouse?

How easily are keyloggers foiled?

Malicious software that only logs keyboard strokes rarely exists in the wild. Most key loggers for graphical interfaces (e.g. Windows) are more sophisticated and log all user interaction including mouse, copy and paste events by hooking into the operating system.

Key loggers are normally a small subset of a rootkit that may also include the ability to act as a man-in-the-middle (MITM) and capture your credentials or session information without logging any key strokes.

The best way to foil key loggers is not to have them.

Is this enough to defeat keyloggers?

Heck no.

That all being said, the sort of mitigation you're talking about may have some small ability to discourage those black hats that are harvesting passwords en masse, since it will be harder for them to publish and collect payment for their findings (it's pretty easy to supply your customer with a CSV file of user names and passwords, it's a bit more work to include images and mouse clicks for each and every victim). This is not much of a reason to go to the trouble, to be honest. If you are being targeted individually, then the scheme you're talking about would offer almost no protection.

Images still have a role in authentication-- you can use them to help your users identify phishing attacks by providing personalized images-- but in terms of defeating keyloggers, you really need to go with OTP, i.e. with a key fob or out of band. Even OTP isn't going to protect against real time attacks but it is a pretty good way to protect against password harvesting.

Community
  • 1
John Wu
  • 9,101
  • 1
  • 28
  • 39