1

As a remote worker, I often use my laptop in cafes or on public transit. Unfortunately, this means that someone could subtly record my keyboard with a camera while I type a password. I have to assume that this has happened many times already by accident -- many places have security cameras that record continuously.

What are some practical techniques that I can use to protect my password while I'm in a public place? I'm also open to other forms of authentication. I'm hoping proposals will have these properties:

  • I won't look too ridiculous, i.e. I'm not going to cover myself with a blanket, Snowden-style.
  • Any adversary capable of visually observing (or hearing) me while I'm entering a password should gain no (or a quantifiable small amount of) information that would help them guess my password.
  • If an adversary steals everything that I carry with me, they should still be unable to impersonate me during authentication. For this reason, I don't consider USB security keys (e.g. YubiKeys) or 2FA with Google Authenticator on my phone to be a full solution to this problem.

Edit: I've reviewed the existing questions here and here, but both of them are limited to the problem of visual observation. Neither of them ask about theft or information leaks via sound.

Tim McLean
  • 248
  • 1
  • 9
  • This question seems to focus on attackers observing Tim's keystrokes, while the shoulder surfing question focuses more on someone observing passwords or other secrets on their screen. – PwdRsch Nov 29 '16 at 06:11
  • 2FA - that way it doesn't matter so much if someone knows your password – schroeder Nov 29 '16 at 07:27
  • I don't believe this is a duplicate. See my edit; I tried to make the differences more clear. – Tim McLean Nov 30 '16 at 06:45
  • @schroeder Thanks, but I don't believe 2FA is a solution in my threat model due to theft (see edit) – Tim McLean Nov 30 '16 at 06:46
  • 2
    @TimMcLean The password model has known weaknesses. That's why we use different factors: something you know, something you have, something you are. If someone has all the factors, then of course they are going to log in. That's why when one of the factors is something you have, you can secure that with another factor, like the fingerprint scanner on your phone (making it 2.5 factor auth). If you question really is: what if someone can align all the weaknesses in the password model? Then the answer is to not use passwords, but then you are in uncharted territory. – schroeder Nov 30 '16 at 07:30
  • @schroeder Interesting to know that I'm in uncharted territory. I'm disappointed that there aren't any good solutions in this direction! – Tim McLean Nov 30 '16 at 23:47

3 Answers3

1

lastpass + fingerprint identification.

Edit I was being snarky. But technically everything is going to violate your rules. There will ALWAYS be another avenue of attack. In this case, they could steal your hand, or lift your fingerprints as well as steal your laptop.

Edit Edit Even going underneath a blanket is absurd. Acoustically they can determine your password by the sound of your keystrokes.

christopher clark
  • 137
  • 5
  • detached fingers should not work as keys as most readers use thermal imaging. you would need physical possession of the laptop to use sound to decode keys, and even then, it's not exactly a slam-dunk if the orig recording was made on transit... – dandavis Nov 30 '16 at 21:46
  • @dandavis The problem there is they could just kidnap `Tim Mclean`. In response to the detached fingers, do you think simulating blood flow is too difficult? – christopher clark Nov 30 '16 at 21:54
  • I do not consider kidnapping or coercion under my threat model. – Tim McLean Nov 30 '16 at 23:40
  • Fingerprint identification does prevent the problems with observation, so that's a good start! Unfortunately, I leave my fingerprints my everywhere I go... I suppose I could make a habit of wearing gloves. – Tim McLean Nov 30 '16 at 23:42
0

I suggest using a password manager, such as lastpass

They even offer a browser extension so that you can have quick access to your passwords, without them ever being revealed onscreen.

If you're worried that someone might see you logging into lastpass itself, just use their two-factor authentication.

ProfZoidberg
  • 1
  • 2
  • I don't think this solution is sufficient because I also want to protect against theft. Edited question to make this more clear. – Tim McLean Nov 30 '16 at 06:48
  • A password manager is probably part of the solution, but it just moves the password entry problem to somewhere else, as you noted. I don't consider 2FA to be a solution here due to my requirement to protect against theft. – Tim McLean Nov 30 '16 at 06:51
0

  • Option A

  • step 0: use a custom CSS or something to blackout the password input field

  • step 1: use a password manager for part of the password

  • step 2: use a virtual keyboard for another part of password

  • step 3: type 3rd part using keyboard (but use a key remapping software to scramble your keyboard entries eg: you type "abc" on keyboard but actually something else gets typed because of remapping)

  • step 4: use 2FA, not with your phone but with someone whom you trust ask them to tell you the number only through a video call

  • Option B

  • go to bathroom and go under a blanket play pre recorded audio of you typing and clicking random stuff on keyboard also play a small game while entering password.
Tim McLean
  • 1