Monday, November 24, 2008

How to Enter Sensitive Passwords on Public Computers

Update: this tip is no longer as secure as it once was. It's now quite easy to install, along with the sneaky software that captures and logs keystrokes, software that captures and logs the content of clipboards.

That said, to evade run-of-the-mill maliciousness, this "bathroom door lock" solution is still reasonably effective. If 100 people use a (compromised) public computer in a week, your data will be by far the biggest headache to extract, and trolling for passwords is a "low fruit" sort of enterprise.

But in any situation where you feel you may be personally singled out (e.g. someone's after you, or you're the sole American customer in a 3rd world cybercafe run by dodgy characters), this may not be your best move.

Prudent people hesitate to enter sensitive data on shared computers (e.g. in Internet cafes). Such computers may have been maliciously set up with keystroke capturing programs that track each letter typed on the keyboard. The problem is, how do you log onto critical online banking, or personal email, when the only option is an untrustworthy public computer?

Here's a low-tech trick. Don't type paswords. Cut and paste them, character-by-character! Open a new browser window or tab, and go to any page dense with text (Google News works well). Then individually copy the characters of your password and paste them in to the appropriate field. You can save some hassle at little additional security risk by directly typing a few characters. 

Yes, it would be theoretically possible for a hacker to create a program that captures the screen location of each click, precise window location, plus a cached version of the fast-changing Google News page to know what was being clicked, but that would require vast technical accumen, massive storage and horrendous data-sifting headaches entirely unsuited to a low-fruit ploy like stealing passwords from public computers.

This does the trick when you're on the road and need to grab your mail in some scummy Kinko's!


Anonymous said...

Great idea, Jim

How about this: create a public web page using a free service (or post a comment on a blog post you can easily access), and on that page put a paragraph that contains all your passwords, mixed into the text.

You go there, you copy and paste and you're done.


Jim Leff said...

Seth, yeah, I thought of trying something like that. But on those rare occasions when I want to be truly secure about something, I try to err on the side of caution. It's conceivable that someone working real hard could figure that one out.

BTW, thanks for the link. I didn't know about it right away, because I don't often check traffic stats. On Chowhound I'd know we'd gotten press 'cuz of the increase in postings. But a blog looks the same regardless of inflow. This 21st century Internet thing's a whole other thing....

Anonymous said...

Couldn't they just add a "copy/paste" monitor to the keylogger?

Jim Leff said...

Yep. That's doable today. When I wrote this back in 2008, that wasn't really being done.

Easy enough to workaround, though. Just copy and paste a lot, but only every few ones make "real" and actually fill the field.

Blog Archive