How can I avoid my password being harvested by key loggers from internet cafes?

Question

During traveling, especially in poor countries, sometimes you are going to need to use the internet at an internet cafe and you really can't be sure whether anyone has installed anything to listen to your keystrokes.

I've been told this method, although I'm not sure if this works, but if you're at an internet cafe, one way to fool any key loggers is to avoid typing your password in one go. Instead type part of your password, then insert some random letters, then use your mouse to highlight over the random letters, and then overwrite them. This supposedly fools the key loggers into thinking your password has those random letters in it.

So just wondering, does this actually work? Are there any other better methods I could use?

Answer 1

if you do not trust the medium: do not enter sensitive information. typing in your password in some obscure way is just that: security through obscurity, which never works.

other than that: you might be able to achieve some level of security in such open places if the password you entered changes for the next login, see one-time-passwords. (note: '2-factor-authentification is a hybrid scheme where you know already one half of the password (which keeps constant / static) and then you get the other half by sms or any other means; that 2nd half is a one-time-password)

Answer 2

If you can't be sure that your keystrokes aren't captured (and you can't), use any sort of two factor authentication.

Make sure your password isn't useful by itself!

The only way to be sure that your data is secure is to avoid entering "everything" into the suspicious machine.

---

Given that keyloggers are your only concern (i.e. no sophisticated tracking software):

For example, you could carry a USB drive with all your important passwords in a KeePass container, together with KeePass Portable. Once you've opened KeePass Portable, use a master password for the KeePass container. Yes, you will risk that it is captured, but to unlock the container, you can also configure KeePass to use a keyfile as well. Without this keyfile, the master password is useless. This keyfile could be stored on the same thumb drive or on another one that you carry separated from the original thumb drive.

Once you've opened your KeePass container, you can make use of KeePass features that allow you to enter passwords without typing:

• KeePass can minimize itself and type the information of the currently selected entry into dialogs, webforms, etc. Of course, the typing-sequence is 100% user-customizable, read the documentation file for more.
• KeePass features a global auto-type hot key. When KeePass is running in the background (with opened database) and you press the hot key, it looks up the correct entry and executes its auto-type sequence.

This however doesn't fool a keylogger that listens for the keyboard buffer. A keylogger built into the keyboard connection would be useless though.

A better alternative:

• All fields, title, username, password, URL and notes can be drag&dropped into other windows.

By doing this, you eliminate the need to type any password except for your master password, which you can always "throw away" and change if you need to.

Answer 3

I can see two ways:

1. Use some virtual keyboard solution. You can type your password with mouse-clicks, it will avoid keyboard logger (but may not avoid mouse-click based logger). However, it would be one level of security.

2. You would just type a wrong password into the password box, select it with the mouse (replacing the wrong keys with the true); type the first 3 characters of the true password, type 3 wrong keys, select the last 3 invalid characters and then type the 3 correct keys replacing the invalid keys.

Answer 4

There several threats you are dealing with; but fundamentally what you are asking -- using potentially malicious hardware -- is unsafe and should be avoided for sensitive purposes. (E.g., try not to check into your bank account on vacation). However, if you are willing to take that risk but want to minimize it, here are your threats:

1. Hardware keyloggers. A simple attachment at the back of the keyboard purchased for under $30 can store every keypress; so you'd see someone going to a site, typing a login, and then typing a password and could easily decipher it later. It wouldn't be difficult to modify an off-the-shelf keyboard to automatically do this internally; so don't believe you are safe because you don't see an attachment in the back.

2. Software keyloggers. The OS could be running a keylogger/mouse-logger/screen capture routine that could in principle replay every action you do.

3. A spoofed DNS/corrupted with fake certificates installed on the browser for a MITM, even to SSL sites.

4. A browser extension/hack that records all text typed into the html form field (including passwords).

5. Someone monitoring unencrypted network traffic, where your password/authentication cookies are sent in plaintext -- make sure you are using SSL (with proper certificates to prevent MITM).

Of these #5 is the simplest to prevent; use a ssh/vpn tunnel for unencrypted sites or use HTTPS (with SSL) to sites signed by a proper certificate.

Your best option again is to use your own hardware (bring a smartphone; cheap netbook/tablet with you) -- that eliminates threats #1-#4; and standard good practices prevents #5.

Your second best option would be to boot into a guest OS of your choice off of your own live cd, and then use a method like your own to obscure your password to a keylogger. That is maybe type half the characters (not necessarily in order; and cut and paste the other half from letters on the web page/URL -- preferably do this only using the mouse--e.g., in gnome if you select a character you can paste it with a middle mouse click). Using a live cd, prevents #2 & #3 & #4. You are still vulnerable to #1, but you can probably suitably obscure your password to an ordinary keylogger that while they may have recover a partial password, they wouldn't have the whole thing (I also wouldn't do the entire password from cut and paste in case they are recording/cloning the video being displayed on the monitor). I'd still recommend changing your password once you get back home.

If you resort to not being able to boot into a guest OS; I'd consider any data entered compromised. You could do something to make it a bit more difficult (e.g., download and run a new web browser; try obscuring your password by typing it out of order/cut and pasting parts; etc.), but in principle they could get the data if they wanted.

Answer 5

Possible, though maybe not very practical solution.

Take your own PC, boot up in Linux and use the cyber cafe's net connection

Not many would allow you to do this, but some do

Answer 6

You could boot to a Linux live usb. Unless the key-logger is hardware based this will be safe. The Air Force has a distro that is designed for this very purpose. It does not mount the local hard drives so nothing can be saved locally. The distro is called LPS (lighweight portable security). I use it daily. You can download it here

Answer 7

I would go with one time passwords. Some sites do provide on-screen virtual keyboards(which change the location every time you click), but if there are key loggers, there is a high chance that there could be spyware present.

So, I would not choose to use a thumb drive which stores the sensitive information like passwords and SSN.

Answer 8

In addition to what's already said, you might consider carrying around a small usb stick containing the bootable TAILS OS (short for The Amnesic Incognito Live System) which routes all your internet traffic through Tor by default, and doesn't store anything on the local hardware as everything done on it is erased after a reboot.

If you'd rather prefer the fact that you're using Tor stays unknown from the local network admin/ISP/government; you should configure Tor/Tails to use Bridge Mode

Note however Tor isn't a silver bullet solution for everything and you should read the appropriate documentation before trusting any software with sensitive information.

In addition, because of Tor's architecture username/password information can be observed by the third hop in its obfuscation network (in whats termed an exit node) so you should be using HTTPS to prevent this.[*] Try the EFF's HTTPS Everywhere extension to make it easier.

[*] For an example: wired dot com/politics/security/news/2007/09/embassy_hacks?currentPage=all

Answer 9

What I usually do is load ubuntu live onto USB flash, pick a computer in the corner where the caffe owner can't see, insert the USB flash and reboot into ubuntu. What I get is a safe environment.

Answer 10

There are some good suggestions here.

To them, I would add the suggestion that you change your password using a trusted internet connection at the next opportunity. Even if someone manages to get your password, it's possible that you could change it before it could be used. This is especially true if they're using a hardware keylogger that they have to come back and retrieve at a later date.

Once I was in an airport far from home, and I realized the wi-fi network I was connected to might not have been legitimate. I had logged into GMail while connected to the network, so just to be on the safe side, I called a family member on my cell phone, told them my GMail password and had them change it to something else. They wrote down the new password they chose (without telling it to me over the phone), and I got it from them when I got back home.

Answer 11

If you use openid and something like a yubikey that uses a onetime password even if they do take your password they can't reuse it

the problem is usb port access

the yubikey shows up as a usb keyboard so no admin level drivers are needed

Answer 12

I see a lot of Banks do this. Their password fields can only be populated by typing on an on screen keyboard which is randomly positioned on the page. So no keys are clicked instead only mouse clicks. Further, if the password is 8 characters long, they only ask you to type certain characters so you may see something like X00XXX0 where only the password characters represented by the 0's are required to be typed on the screen keyboard.

The combo of randomly positioned on screen keyboard and mouse-click and randomly selected characters to be typed rendered any mouse click positions which may have been logged useless.

Regards,

Answer 13

You could forward all your email to a temporary account, which you then delete upon your return. This will limit possible exposure to interception of the emails sent while you were away, and hijacking of the temporary account.

Because you can turn off forwarding from your real account, you can disable the temporary account as soon as you notice it's been compromised.

This isn't a perfect solution, but it gives you some protection even if your attacker manages to steal your password.

Answer 14

Bring your own device and use an encrypted connection.

Answer 15

Single-use passwords or 2 factor authorisation

All information that you send to the website (not only keystrokes) can be compromised if you don't control the hardware. Data from any devices that you attach (e.g. an USB key with KeePass file) can be retrieved.

The only proper way to protect against that is to ensure that everything you did on that computer was useful to log in once but is not sufficient to log in again, that the next time will need something different. This means some other authentication than a reusable password.

One way to do that is a list of single-use passwords, but that has limited support. However, most sensitive services, especially major email providers, allow for 2 factor authorisation - where in addition to the password you require a code generated by a device you control or, for example, a SMS to your phone number. This is a reasonable way to protect against keyloggers, as capturing all information from your current session won't allow the attacker to log in a second time unless they steal the required device or phone number.

Answer 16

I have a old method which is very simple,but effective. Get a pendrive and open a .txt file on your pendrive.This text file will contain your online account passwords.Always use a password generator tool to generate your password.After that just copy the password in the .txt file with copy+paste method.In the internet cafe,just plug in your pendrive and copy+paste the passwords you need.With this simple method your password remains safe from keyloggers.

Answer 17

You are conflating two unrelated issues. A keylogger is a program that has been installed on your computer to monitor the actual keystrokes as you make them. It has nothing to do with a cafe or other public network. If your machine has been hacked then you have bigger worries, but the method you mention might confuse a simple keylogger.

What you need to worry about on a public wifi network is other machines sniffing your network packets and seeing what you are sending. You can protect against that by only using secure web sites that are SSL enabled so the connection is encrypted.

Answer 18

If the cafe does Not use wireless encryption in the router, then you are not safe using any OS, boot stick or otherwise, choose a cafe that uses wireless encryption and a password to connect to their hotspot router.

Unencrypted wireless connections can be sniffed easily by anyone in or near the cafe, this will reveal anything you send over the connection including logins and passwords you enter into a browser.

Answer 19

Key Loggers are executed on your local machine and will work regardless of what internet connection your using,

The problem you have in an internet cafe is man in the middle attacks, where other network peers can intercept your network traffic.

Make sure you use HTTPS sites where you can, all traffic is encrypted before it leaves your machine, most logins on "decent" sites will use HTTPS and some sites will let you browse the whole site in HTTPS but always check that before your about to enter anything you wouldn't want another person to see that the page is indeed HTTPS, And if you ever go to a site that has a Self Signed SSL certificate then be very very wary of it as it could also be a Man in the middle attack I know firefox and IE report to you if the page has self signed certificate.

Answer 20

If you are signing in a social networking site like Facebook make sure that the address bar contains facebook.com and not facebook-home.com or similar, it is the case of phishing. If you are using mozilla firefox, go to tools then security options- from there you can check that your password is removed from the memory or not after you have closed your account.

Answer 21

What you have suggest is probably the best way to enter your password. The keylogger usually will be interpreted by a human and if your password does not makes sense intself (as another user pointed out) but your trick it too. That will make it quite hard to guess your password. I would do the same to my username as well.

Answer 22

All the keystorkes that logged by a keylogger are typed. If you use some software or your computer remember your passwords, they will not be captured.