Internet Security Tips and Advice

How to resist keyloggers

October 10th, 2007 by Igor Pankov

The keystroke logging system, or keylogger, is a tool used to monitor and record keyboard events such as when a user types in a password and other valuable data. That data is later covertly transmitted to the perpetrator/owner/installer of the keylogger. Keyboard monitoring has legitimate uses, too, but in most cases the keylogger was surreptitiously installed to track employee, parental or spousal activity.

Considering the potential danger of this malware, we recommend a few practical tips on preventing keyloggers from stealing your information.

If you access the Internet from a public place, such as an Internet café or airport kiosk, don’t log into private pages that need your personal passwords. Fundamentally, it’s not secure because even if you log in safely, someone could still inspect and extract sensitive information from the browser cache. If you absolutely must, follow the steps below to minimize the risk of a keylogger snatching your data:

When entering your log-in information

  1. Type the beginning portion of, say, your password, and then
  2. Place the mouse cursor over the empty space of a web page, and type something there. Of course no text will appear, but the keylogger would think this text was part of your secret phrase because the program can’t differentiate the exact fields of a program, it just logs entries. The keylogger will just record the succession of entries without knowing where these entries belong.
  3. After typing a string of random characters in the empty space, switch back to your password field and continue entering valid symbols there.
  4. Repeat the procedure a few more times so that the valid password becomes impossible to recognize. The screenshot below illustrates the sequence.

Use an online screen keyboard instead of tapping characters on your keyboard

You can use a virtual keyboard, like this, to type characters in a window instead of using the hardware keyboard.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Posted in Security Tip of the Week

2 Responses

  1. NSR

    June 17th, 2008 at 10:15 am

    This method is NOT secure. Software keyloggers can also detect mouse clicks so they would log something like this:

    ————-
    MYPA *left mouse click* qwertradsffaas837aefud *left mouse click* SSWORD
    ————-

    And I think software keyloggers are more common than hardware ones since these ones costs money (and some of them can be easily detected just by looking for something strange on the wire from the keyboard to the motherboard) and the first ones can be obtained for free on the internet and installed by some random kid. Just imagine the typical cyber-cafe and you’ll understand what I mean :D

    The only methods to securely insert a password in an insecure environment I can think of are these:
    -Use the “On-Screen Keyboard” under “Accessibility” (Microsoft Windows) or the web page you say. The first one is more secure since with the second one you have to copy and paste, so that information can be stored by the keylogger if it supports this feature.

    -Type random characters anywhere and then copy and paste them one by one with your mouse in the user/password field (not with “shift+direction keys”). You can also paste fake characters and then left click (so they don’t know where that vertical bar that appears when you type is) and delete them. This way, and if you don’t paste the letters/numbers/symbols in order, even if they can see what did you copy or paste it will be really difficult to reconstruct your password if it isn’t something logic (random characters instead of the name of your favorite football player) and it’s long enough.

    There’s also the problem that some software keyloggers also can take screenshots every certain ammount of time. Due to resources and hardware capacity limits it is usually set to take one every X minutes though, so that souldn’t be a problem with the methods I say since they will never see every character you copy and where do you paste it, and also remember that the password field usually only shows ***. Also there are ones which can specify the mouse position (x,y) in the moment of the click, but that is just too paranoid and I don’t think the everyday lamer who install a keylogger on your cyber-cafe will use that feature and will spend hours to guess where the mouse was and reconstruct what you did.

    And of course all that is meaningless if you don’t log out after using the service and deleting the cookies/browser/windows cache after using it or if you don’t log in using the ssl option.

    PS: There are other methods to obtain passwords and usernames such as cameras and that sort of stuff.
    PS2: It is also recomended to do that with the username, since it can be bruteforced to obtain the password or used to track your activities on the internet and obtain personal data you post on the internet. Trust me, with only an username you can even obtain a photo of the person and also lots of information in forums and so on…

  2. Igor Pankov

    June 18th, 2008 at 8:43 am

    to NSR: Depending on the keylogger app, mouse clicks can also be captured. Web-based virtual keyboards are more isolated from this threat, however, and that was my point in the article – to chose the best option amongst poor alternatives.

    Igor Pankov,
    Agnitum

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

All rights reserved © 2009, Agnitum Ltd. Internet security tips and advice