2

Suppose a scenario in which you have to login to a public/friends pc which has a keylogger installed. You need to login from that pc. Will it be possible to escape compromising your passwords if you know in advance that the machine is infected.

Taking into account that different keyloggers have different functionalities, still I think it must be possible to reduce the probability of password being compromised or at least making it more difficult to decode the password. Some naive thoughts that come to my mind for achieving this are:

  1. Inputting wrong password and then using backspace key in combination with mouse clicks to make it correct.
  2. Inputting half of password using step1 and half password using virtual keyboard..
  3. Keeping a pendrive, and using it to executing a script to enter password, thus implementing keepass like functionality..

I think that using these points might be helpful to some extent.

What do you think we can do to reduce the chances of being getting compromised?

kashish
  • 161
  • 6
  • Boot off of an OS on that pendrive and bypass the keylogger entirely – schroeder Oct 27 '17 at 13:34
  • I think many of your assumptions can be answered in this question: https://security.stackexchange.com/questions/172135/are-virtual-keyboards-not-necessary-anymore-to-protect-against-keyloggers – schroeder Oct 27 '17 at 13:35
  • @schroeder really cool :-) , the bios might be admin protected though.. – kashish Oct 27 '17 at 13:36
  • Public PC where people can log in? Not likely. At friend's house? Ask them to enter the BIOS password – schroeder Oct 27 '17 at 13:38
  • yes, different keyloggers come with different functionalities (like tracking virtual keyboard) but using a combination of these might reduce the risk, I think – kashish Oct 27 '17 at 13:40
  • Sure. Maybe. But you are making guesses against the functionalities of an unknown factor. That makes this question difficult to answer in a Q&A format like StackExchange – schroeder Oct 27 '17 at 13:44
  • @schroeder - doesn't work if the keylogger is hardware based. – Hector Oct 27 '17 at 13:53
  • @Hector I'm perfectly aware, but the term used was "installed" not "attached" – schroeder Oct 27 '17 at 14:47
  • How does install not apply to hardware? The word has existed long before software was a thing! – Hector Oct 27 '17 at 14:58
  • Possible duplicate of [What's the safest way to enter information on a website?](https://security.stackexchange.com/questions/127889/whats-the-safest-way-to-enter-information-on-a-website) – Anders Oct 29 '17 at 07:10

5 Answers5

6
  1. Go on your phone and change your password to a random one
  2. Login on the compromised PC using the random password
  3. On your phone change the random password back to your normal one
paj28
  • 32,736
  • 8
  • 92
  • 130
  • 1
    I *could* play some semantics and say that you are not *preventing* the password from being compromised, but rather you are *mitigating* the compromise. But this is simple, easy, and effective. – schroeder Oct 27 '17 at 14:50
  • 1
    @schroeder - I think some major online services offered a "one-time token" for this purpose, but I couldn't find that when I looked just now – paj28 Oct 27 '17 at 15:01
3

Most OS's provide some facility to provide user input to an application. This functionality is part of what will get hooked in any decent keylogger and so any means of creating input to the program will likely end up being picked up. This is true whether you use scripts, on-screen keyboards or the physical keyboard itself.

Now, a little good news, some OSes, including Windows when UAC is on, will not share keypresses with non-admin processes, however, if the key logger is running as an admin program, all bets are off.

Short of direct memory injection, you aren't going to be able to get information in to a program without going through the input channels provided by the OS and that's exactly what keyloggers are designed to monitor and pull data from.

Unfortunately, there are actually some pretty good usability reasons to maintain this kind of functionality (such as enabling background processes to respond to shortcut combinations) so it isn't likely to go away any time in the near future. This is part of what makes protecting against key loggers so difficult.

That said, as long as it isn't also logging mouse clicks and positions then you can do some things to confuse it. Making a series of mouse selections to remove content from the string and filling it in will help obscure it a bit, but I still wouldn't advise using it as a protection as it greatly limits the number of possible passwords so brute forcing becomes much more likely.

The best bet is really to change your password to something you can discard and login with that, if you don't want to burn your current password. If you aren't domain connected, you can also back up the user profile files, reset them to something else (this will lock all encrypted files, but that's why you have a backup of your user profile), and then login with the reset password on the new profile. If you have an account recovery disk, using that may also be an option as I believe that does a direct input that would bypass the keypress system. (This is, of course, assuming you are on Windows.)

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
2

Don't worry about keyloggers. Keyloggers are not the problem.

Logging in to your account on a compromised machine is dangerous beyond just losing your password. Local malware can (and frequently does) perform activity on your account that isn't visible to you as you look at the screen. The attacker doesn't need your password or your second factor token because you're already logged in. Whatever you were afraid of bad guys doing offline at some point in the future, they can do right there and then, no keystroke logging involved.

So no; worrying about keyloggers is solving the wrong problem. If you're concerned about your account safety on a given machine, then don't use it, plain and simple, no way around it.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • Wow.. This is very new concept to me.. What can an attacker do other that stealing my password if I am logged in to a machine for sometime? Insights/ examples will be deeply appreciated! – kashish Oct 29 '17 at 08:29
  • @kashish - view your private messages, impersonate you, delete your data, steal your money. Depends on the service; there's a password on your account for a reason. – paj28 Oct 29 '17 at 14:20
  • https://en.wikipedia.org/wiki/Man-in-the-browser – tylerl Oct 29 '17 at 17:43
1

There are two main types of keylogger - physical and software based. In both cases I would argue without full knowledge of exactly how the logger works there is no way to know with certainty you are safe.

How do you know you can trust the rest of the software on the machine? How do you know it isn't also recording all other input? Or even just intercepting it between being entered and the hash being calculated? It could also be implemented in a hypervisor loaded by bios under the operating system - in which case running your own OS would not work.

For hardware based there is a similar issue. The immediate answer is "use your own keyboard" - but what if the logger is between the USB ports and the motherboard? If it controlled all USB ports on the machine it could record mouse, keyboard and fully copy any removable media plugged in - which renders your script approach useless.

Hector
  • 10,893
  • 3
  • 41
  • 44
-2

Most key loggers are just that: they eavesdrop on the keyboard, so on Windows box an easy workaround would be to activate the on-screen keyboard to input your password (use Win+U to open the accessibility settings).

Of course if you're not certain you don't have a nasty one that do a screen capture each time you click on your mouse you should go back to a fail-proof method like booting from an USB stick.

Samuel
  • 153
  • 7
  • Actually, the easy way for a key logger to work is to subscribe to keypress notifications in Windows. This is going to catch key presses from any source, including the on-screen keyboard. It would be pretty tricky to write something to hook the keyboard driver itself and very easy to get the event notifications, so most likely they do the later. Note that UAC does help with this a bit as non-admin apps don't get keypress notifications when they aren't active, but if the keylogger can get installed as admin it won't matter. – AJ Henderson Oct 27 '17 at 14:16
  • Note that it is possible to work around this limitation if you are writing your own software by directly adding letters to a particular text box when clicking on buttons without going through the keypress notification system, but for working with a third party program, that's going to be the expected mechanism of input, so you'll have to go through it. – AJ Henderson Oct 27 '17 at 14:18
  • @samuel see the link in the comments to the question – schroeder Oct 27 '17 at 14:48
  • Good point all, a bit of a meta question here, but shouldn't I delete my post given your feedback? – Samuel Oct 27 '17 at 14:49
  • It's up to you. Technically, it's a properly-formed answer, so there is no reason for the system or the mods to delete it. But if you don't want your first answer to be one with negative votes .... – schroeder Oct 27 '17 at 15:16
  • @Samuel if you don't feel that the answer represents your view anymore, you are free to delete it. Since SE isn't about establishing correctness, but helpfulness, neither mods or other users are going to delete your answer for being incorrect, only if it has severe content problems (like not actually trying to answer the question, or being impossible to read). You, however, are free to delete your answer if you no longer feel it adds value. You're also free to leave it if you'd like. – AJ Henderson Oct 27 '17 at 15:37