h a l f b a k e r ycarpe demi
add, search, annotate, link, view, overview, recent, by name, random
news, help, about, links, report a problem
browse anonymously,
or get an account
and write.
register,
|
|
|
Keyloggers are hardware or software devices which are installed on computers to observe the user. They can steal important security information like passwords. They are a risk for users who need to use non-trusted computers regularly, for example in internet cafes.
I propose a simple, practical method
for improving the security of passwords against keyloggers without additional equipment. It will work for web-browser entry but not where the password must be entered linearly (such as a unix terminal login).
First, choose your base password. You can make this as secure as you like (i.e. upper- and lower-case letters, numbers and random symbols). However, it will need to be one or more characters shorter than the maximum permissable length.
Second, chose an additional symbol and add it to your base password at an offset from the start or end. Repeat this step as many times as desired (I suggest at least twice, using one offset from the start and one offset from the end.)
To enter your password, simply enter the base password, then click at the offsets and enter the additional symbols. This should defeat most current non-targetted keyloggers, but for maximum security one should perform an additional action in-between entering the base password and additional symbols - for example moving or re-sizing the browser window.
This method has the advantage of greatly increasing the security of naive passwords while still remaining mnemonic effectiveness. It's effectively simple enough to advise users to do just for password security reasons. However, it won't provide protection if the application itself (eg the browser) is compromised.
XKCD on Password Selection
http://www.xkcd.com/936/ [AusCan531, Sep 07 2011]
[link]
|
|
the same effect can be achieved by simply clicking away from the password entry field in mid password and hitting a few random keys before going back and finishing the password. |
|
|
Are keyloggers clever enough to deal with deletions? If one simply types a couple of extra characters mid password and deletes them, will a keylogger recognise that and delete the characters from it's register? |
|
|
//the same effect can be achieved by simply clicking away from the password entry field in mid password and hitting a few random keys before going back and finishing the password.// |
|
|
That's pretty much what I'm suggesting already. However, I think the wording of my proposal makes it more likely to be secure in the general case. People will do it the same way every time, which reduces the chance that the data thief will be able to piece the password together from multiple sessions.
Your process is likely to get passwords from naive users like PassWord, entered as Pass<click>XYZ<click>Word, on a subsequent attempt Pass<click>qwerty<click>Word, and so on.
My process would lead the naive to create passwords like Pa!sswo+rd (entered as Password<click>!<click>+ routinely) and which has the side-benefit of being a relatively secure password.
Consider that the advice for secure passwords is of the form "n to m letters, don't use dictionary words, include several of upper and lower-case letters, numbers and punctuation". Unfortunately, passwords need to be memorable, so in practice means that people pick a word and then decorate it either with a symbol at the sart or end, or replacing characters with look-alike symbols. Giving passwords like "!Password", "Pa$$word", "passw0rd" and so on. These are obviously less secure than a random string of the same length, and probably brute-force crackable given a very few clues. |
|
|
//Are keyloggers clever enough to deal with deletions? If one simply types a couple of extra characters mid password and deletes them, will a keylogger recognise that and delete the characters from it's register?// |
|
|
Possibly, possibly not. But it doesn't matter anyway. With minor processing, or some manual examination of the data it would still be recoverable. |
|
|
[-] This adds a lot of inconvenience for no real security
benefit. Even if you go to the extreme step of completely
scrambling your password using this method, for a ten
character password you're only looking at 10!, or
3,628,800 possible permutations. That's trivial for a
computer to brute force. And if you're only adding two
symbols after typing in your eight character base
password, it would only render 10! / 8!, or 90
permutations, which could easily be brute forced by
hand. |
|
|
The fact is that if a keylogger is installed, security has
ALREADY been compromisedeither at the software
level, or worse, the hardware leveland any additional
security measures are worthless. |
|
|
The ideas not bulletproof but it sounds like a good
example of defence in depth to me. |
|
|
//Are keyloggers clever enough to deal with deletions?// |
|
|
Yep, I installed one on my own computer years ago just to check that one out. You can delete, retype and delete again and the keylogger merely presents the final password - no problems.
I was quite annoyed. But at least I knew to give up on that strategy. |
|
|
As far a picking a password I have linked an excellent XKCD post on the topic. |
|
|
This would be suitable for checking your email in a
cybercafe, for example. On your own machine, if it's
so badly compromised that a keylogger is running,
this would be //defense in depth// the way the
Dutch
boy, with his finger in the dyke, is defense in depth,
after the dyke's already broken and the polder's
flooded to a depth of several feet. |
|
|
//This adds a lot of inconvenience for no real security benefit.// |
|
|
Actually I think it's the reverse, in practice. The passwords created by typical users will be more secure as a side-benefit (i.e. when a keylogger isn't present). Rather than trying to remember some awkward string including caps, letters and punctuation, you can add them afterwards. It's much easier to remember <wordphrase> <char+pos> <char+pos> than it is to remember <substituted wordphrase>.
And because you're decorating the string with free symbols rather than substituting look-alike symbols, users are likely to add more hard-to-guess permutations. AusCan531's XKCD link illustrates this nicely.
If you want to use more than two additional chars, you're free to do so. (Indeed, you could also beneficially delete chars.) |
|
|
//The fact is that if a keylogger is installed, security has ALREADY been compromisedeither at the software level, or worse, the hardware leveland any additional security measures are worthless.// |
|
|
I don't think that's the case, though. If what you need is a password which is secure on untrusted hosts which may collect your key stream, then it's possible to add enough permutations to prevent capture. As I already said in the idea, it won't help against compromised hosts which grab your final submitted password, though. |
|
|
//This would be suitable for checking your email in a cybercafe, for example. On your own machine, if it's so badly compromised that a keylogger is running, this would be [of little benefit]// |
|
|
I agree. But if you want to use cybercafes at all, it would be desirable to learn the routine by using it every time, even on your own computer. |
|
|
//desirable to learn the routine// Ahh... good point. |
|
|
Perhaps having a password-phrase that is very long and looks like a part of a conversation would be beneficial. I mean, both a computer AND a human would have a helluva time picking out your password if it was: |
|
|
I don't know sally, perhaps I should not have had the fish after all, it is giving me gas. |
|
|
It seems like a good keylogger should capture mouse clicks as well. Since many people use the mouse to switch from the user name to the password field then again to the click the login button, having those recorded would be helpful in figuring out when the password ends. So assuming that keyloggers do capture mouse clicks, figuring out a password entered with the method described above would be somewhat easier. Knowing fully what is being clicked based on x/y coordinates may be nearly impossible, but they might be able to figure out the relative position of the extra letters that were inserted (still pretty difficult). |
|
|
I still like the idea. Although it won't provide significant protection from a targeted attack, it is probably good enough that on a public computer the person running the logger will just grab someone else's password and not bother with trying to figure out why yours doesn't work. They'll just assume you changed the password and move on. |
|
|
One variation of this concept: reduce the chance that they will even know that you're logging in. I assume that the person running the keylogger will find a password by searching for a sequence of characters that looks like an email address followed by some characters they will try to use as a password. So if you avoid pressing the @ key, they may miss the logon event entirely. You can get the @ symbol into the clipboard in windows using the character map tool (start/run/charmap), then paste it in as you type your password. Alternately you might try typing a phrase like "I was @ home.", then use your mouse to delete everything except "@" and ".". Then type additional characters to make "email@host.com". Even if they are manually scanning, they might assume this is just parts of a text chat or something. |
|
|
Anyone know of any other techniques used by keyloggers to find username/password pairs in a long stream of typing? A search for "words" 8 characters or longer containing out of place capital letters and symbols might be a good way to find a password. The original idea could help circumvent that search method. |
|
|
The real reason to add non-alpha characters to your
password is to increase the depth of the search space
required to brute force it. It doesn't really have any
effect against someone who is logging your keystrokes,
even if the password is slightly scrambled or obscured.
As I said, given a slightly obfuscated password,
unscrambling it would be trivial for a machine, and
possibly for a human as well. |
|
|
It seems that the core of this idea is to decrease the
signal-to-noise ratio of your password entry. If that's the
case, why bother with the confusing step of trying to
enter your password out of order (go ahead and type ten
characters into a password field sometime, then see if
you can reliably click between dots 2 and 3, type a
character, then click between dots 6 and 7, type another
character...)? You could achieve a much stronger
effect much more easily by simply typing part of your
password, clicking out of the box, typing random
characters for a bit, then clicking back in, typing more of
your password, and so on. |
|
|
But even that would be pointless. Keylogger password
attacks are so rare as to be effectively a non-threat for
the average user. The only time they're really used are
against a specific target, and if you're being targeted for
a keylogger attack then you've got an attacker dedicated
enough that he likely won't be put off by a simple
attempt at obfuscation. As for the case of public
computers, more and more people are carrying smart
phones and can check their email at any time anyway, so
better advice would be to simply not use public
computers when possible. But if you have to on occasion,
make sure to use a different password for, say, your
email and bank accountsand then, just don't check your
bank account! |
|
|
//The real reason to add non-alpha characters to your password is to increase the depth of the search space required to brute force it. It doesn't really have any effect against someone who is logging your keystrokes, even if the password is slightly scrambled or obscured. As I said, given a slightly obfuscated password, unscrambling it would be trivial for a machine, and possibly for a human as well.// |
|
|
The problem here is that my idea has multiple advantages. It both gives keylogging protection (as you correctly observe, in proportion to the amount of effort expended) and allows typical users to create better passwords, given the more memorable approach. |
|
|
//(go ahead and type ten characters into a password field sometime, then see if you can reliably click between dots 2 and 3, type a character, then click between dots 6 and 7, type another character...)?// |
|
|
I have. It's very easy. Much easier than what it replaces, which is remembering which characters in a typical password were substituted with symbols. |
|
|
//You could achieve a much stronger effect much more easily by simply typing part of your password, clicking out of the box, typing random characters for a bit, then clicking back in, typing more of your password, and so on.// |
|
|
We covered that before. It's a subset of the idea ("perform an additional action" includes typing text) - except that you shouldn't use random chars, you should use the same chars every time (as otherwise it's easier to identify the sense part of the password given multiple logins). |
|
|
Regarding your last paragraph - I don't know how prevalant keylogging attacks are - but I do know that accounts being 'hacked' and identity theft are rampant, and suspect keyloggers are large part of both. Your advice to just avoid using untrusted machines is a bit disingenious - they're obviously a last resort, and necessary under many circumstances. Afraid of getting food poisoning? Simply don't eat! |
|
| |