That said, to evade run-of-the-mill maliciousness, this "bathroom door lock" solution is still reasonably effective. If 100 people use a (compromised) public computer in a week, your data will be by far the biggest headache to extract, and trolling for passwords is a "low fruit" sort of enterprise.
But in any situation where you feel you may be personally singled out (e.g. someone's after you, or you're the sole American customer in a 3rd world cybercafe run by dodgy characters), this may not be your best move.
Prudent people hesitate to enter sensitive data on shared computers (e.g. in Internet cafes). Such computers may have been maliciously set up with keystroke capturing programs that track each letter typed on the keyboard. The problem is, how do you log onto critical online banking, or personal email, when the only option is an untrustworthy public computer?
Here's a low-tech trick. Don't type paswords. Cut and paste them, character-by-character! Open a new browser window or tab, and go to any page dense with text (Google News works well). Then individually copy the characters of your password and paste them in to the appropriate field. You can save some hassle at little additional security risk by directly typing a few characters.
Yes, it would be theoretically possible for a hacker to create a program that captures the screen location of each click, precise window location, plus a cached version of the fast-changing Google News page to know what was being clicked, but that would require vast technical accumen, massive storage and horrendous data-sifting headaches entirely unsuited to a low-fruit ploy like stealing passwords from public computers.
This does the trick when you're on the road and need to grab your mail in some scummy Kinko's!
Great idea, Jim
ReplyDeleteHow about this: create a public web page using a free service (or post a comment on a blog post you can easily access), and on that page put a paragraph that contains all your passwords, mixed into the text.
You go there, you copy and paste and you're done.
Needle/haystack
Seth, yeah, I thought of trying something like that. But on those rare occasions when I want to be truly secure about something, I try to err on the side of caution. It's conceivable that someone working real hard could figure that one out.
ReplyDeleteBTW, thanks for the link. I didn't know about it right away, because I don't often check traffic stats. On Chowhound I'd know we'd gotten press 'cuz of the increase in postings. But a blog looks the same regardless of inflow. This 21st century Internet thing's a whole other thing....
Couldn't they just add a "copy/paste" monitor to the keylogger?
ReplyDeleteYep. That's doable today. When I wrote this back in 2008, that wasn't really being done.
ReplyDeleteEasy enough to workaround, though. Just copy and paste a lot, but only every few ones make "real" and actually fill the field.