59

Suppose that you are on a cybercafe, at a friend's home or at your work office, and you need to log in on a site, but you feel that the the computer can not be trusted (e.g. your friend isn't tech-savvy and doesn't know how to protect his machine and there is a possibility that his pc contains some kind of malware harvesting passwords)

In those kind of scenarios, how would you be able to log in on a site minimizing the risks?

Widor
  • 311
  • 2
  • 8
naw
  • 699
  • 5
  • 7
  • 10
    If the login is not something crucial (e.g. bank login which you should not do at all from an unsecured computer), and I suspect a keylogger, I usually enter my password in the wrong character order, aided by the mouse. Not a perfect solution, but might throw off most of the beginner kiddies. – vsz Nov 05 '12 at 04:06
  • 19
    If you're concerned... you don't. – tylerl Nov 05 '12 at 06:22
  • 1
    Onscreen Keyboard may be handy in such case but it isn't a fool proof solution – kiran Nov 05 '12 at 12:44
  • @vsz actually, since banks usually have 3 or 4 factor authentication for an actual transaction, it should be relatively safe to do a login, since you can only see your bank balance,etc that way – Akash Nov 05 '12 at 20:42
  • 2
    Im surprised nobody mentioned this, but I would recommend changing the password right before & right after logging in using a smartphone. Unless someone is watching you live, there is no chance for them to take over your account. Make sure not to use unprotected wifi btw! – Dennis Jaheruddin Nov 06 '12 at 15:00
  • 1
    Just as an interesting aside: As others have pointed out, you *cannot* guarantee confidentiality on a compromised system, no matter what you do. However, you *can* still prevent unauthorized transactions: German banks have introduced a special form of two-factor authentication in the last few years, called ChipTAN ( http://en.wikipedia.org/wiki/Transaction_authentication_number#ciTAN_or_ChipTAN ). With ChipTAN, you first log in to your bank account with just username+password. However, this only gives you read access. For any kind of transaction(transfering money etc.)you need a TAN.[cont] – sleske Nov 07 '12 at 07:55
  • This TAN is generated by a special chipcard reader, based on the transaction details (which are transferred via a photosensor to the reader). The reader only works with the banking card inserted. It shows the transaction details and only generates a TAN after confirmation.The scheme prevents unauthorized transactions, *even in the presence of malware on the computer that actively modifies communications in real-time*, because the reader constitutes an independent channel. AFAIK, there have been no successful attacks, apart from social engineering (trickign people into generating TANs). – sleske Nov 07 '12 at 08:00

12 Answers12

34

Some very good answers already. Here is what I think the best options are, in order of preference.

  1. Don't do it.
  2. Don't do it.
  3. Don't do it. An untrusted machine can do anything. What if you login to online banking with a one time password, and malware immediately initiates a wire transfer?
  4. Only use systems with one-time-passwords (per Thomas Pornin).
  5. Only use systems with 2 or more factor auth (per naw)
  6. Use KeePass with Two-Channel Auto-Type Obfuscation (per naw), AND change passwords immediately afterwards (within minutes if at all possible).

I find a great option is to say something like "Sorry, I only store my passwords in KeePass, and I don't have them with me". This can lead nicely into a discussion about good password practices - and that way you've helped educate some people about doing the right thing, without sounding like a paranoid ass :)

scuzzy-delta
  • 9,303
  • 3
  • 33
  • 54
  • 10
    You may ask whether there's *actually* malware out there that initiates a transfer when you log in to your bank account. The answer is *yes*, there is. This isn't hypothetical. – tylerl Nov 06 '12 at 06:21
  • Regarding "Use KeePass with Two-Channel Auto-Type Obfuscation", I would be _very_ hesitant to unlock my KeePass database on an insecure computer. Exposing my entire, decrypted password database to malware seems _far_ worse than just exposing my password for a single account to keyloggers. – Ajedi32 May 07 '18 at 16:25
31

The generic solution is one-time passwords: the password grants entry only once, and the next password cannot be recomputed from that password. This, of course, assumes several things:

  • The system into which the users wants to log on supports one-time passwords (and very very few Web sites do).
  • The user has a list of successive one-time passwords to use, e.g. on a paper in his wallet, or as a specific OTP-generating device (e.g. a special smartcard or an app in his smartphone).
  • The attacker is only a keylogger, and he is only after the password.

Usually, when the user needs to enter a password, it is because he wants to access sensitive data; if the user's computer is hostile, then that data can no longer be considered confidential. So the prudent answer is: do not do it. Do not use potentially hostile computers; instead, use your own device.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • 1
    [can no longer be considered confidential] ... or trusted at all – ignis Nov 05 '12 at 00:55
  • 10
    One-time passwords are not a solution. They do not solve this problem. The "assumptions" that are listed in the question are not valid in most practical settings. The only valid answer to this computer is: *you cannot login securely from a computer you don't trust*. – D.W. Nov 05 '12 at 03:33
  • I have to agree with @D.W. - back when I used Windows 98, it was trivial to find any number of programs that could save and email screenshots at regular intervals. I'm sure they're still around. – Izkata Nov 05 '12 at 04:05
  • @Izkata The software definitely still exists. We used it in the last company I worked for. Made me feel terrible spying on a coworker, but it was a very specific instance in that we needed hard evidence of "adult content" being viewed on a company device. The software was cheap, and hard to detect to the average user. Could easy be installed maliciously on any 'unsafe' computer. – jwegner Nov 05 '12 at 16:49
21

If the site does not have 2 factor authentication, you do not login from an unsecured PC

If you frequently face such a situation, carry a live USB (Windows 8 can also boot from USB IIRC, so you arent stuck with Ubuntu)

Reduces risks that way

Akash
  • 733
  • 5
  • 15
  • +1 USB boot is immediately what came to mind for me. The other option for when it's your computer, but you don't trust their open wifi or some such is to create an SSH proxy to a secure network – Earlz Nov 05 '12 at 02:32
  • 2
    And if there's a hardware keyboard logger? – asmeurer Nov 05 '12 at 05:39
  • 2
    @asmeurer true, that issue remains, but the assumption is that the PC owner is not malicious, but simply does not keep his software secure – Akash Nov 05 '12 at 08:46
  • AFAIK the USB install option is only for Win8 Enterprise; so unless you've got volume licensing access via your employer it's not an option. – Dan Is Fiddling By Firelight Nov 05 '12 at 14:12
  • 1
    Hardware keyloggers might be an unlikely concern; but what about bios level rootkits that would leave your livestick running in a hostile hyper-visor? – Dan Is Fiddling By Firelight Nov 05 '12 at 14:15
  • @DanNeely again, aren't bios level rootkits extremely rare? Like, virtually no large scale infections at all? – Akash Nov 05 '12 at 17:28
  • @Akash I think they're still fairly rare on the wild; but it's only been ~14 months since the first one was found outside of a research lab. I'm hesitant to dismiss them out of hand just because they haven't made their way into cut and paste DIY malware kits yet. The need for a physical presence to be installed makes it unlikely that hardware keyloggers will ever become a major threat. – Dan Is Fiddling By Firelight Nov 05 '12 at 18:20
  • Hardware keyloggers are definitely a concern if the hardware is accessible to the public. much easier to do this than the bios keylogger (remember that physical security trumps almost any other protection). [USB Keyboard Keylogger](http://dx.com/p/usb-keyboard-keylogger-black-127262) – Andrew Russell May 01 '13 at 03:07
13

You don't. It's something I never would do as you don't know what's been done to the computer. I always have a live system on usb.

Lucas Kauffman
  • 54,229
  • 17
  • 113
  • 196
  • 3
    I know that the safe option would be to not do it, but to say somebody that you don't trust him/her to keep his/her computer safe can be offensive, and to reboot with a live usb (which I do often carry with me) is, at least, inconvenient, and might not be feasible (e.g. in a cybercafe) – naw Nov 04 '12 at 19:59
  • 4
    @naw, well, you asked a technical question and got a technical answer. (Whether some people are offended by it is besides the point. Some people are offended by any suggestion that humans evolved from apes; but that doesn't make it any less true.) If you want some advice on how to tactfully communicate this answer to a potential user, that's a different question. – D.W. Nov 05 '12 at 03:36
  • 1
    If the hardware or firmware have been messed with a live system on a USB drive may not help you. – Samuel Edwin Ward Nov 05 '12 at 16:35
6

There is an application called KeePass which seems to have a feature to thwart keyloggers. The software could be on an USB memory and be used on the computer.

In the case of Google and other sites which support two factor authentication, it would be desirable to use it so if the main password gets logged, there is still a code needed by the attacker. In the case of StackOverflow, and other OpenID-based sites, there seem to be several OpenID providers with two factor authentication (Google, Facebook, Verisign)

Although, those methods just protect the login, not against some kind of session hijacking.

Benoit Esnard
  • 13,979
  • 7
  • 65
  • 65
naw
  • 699
  • 5
  • 7
4

Use a bootable USB flash drive or optical disc with any live Linux distribution loaded into it. For usability, and user-friendliness, I'd suggest Ubuntu but the USA's Airforce developed and release their own distribution called LPS specifically for such use-cases.

If you prefer Microsoft Windows and have a an Enterprise licence, you could try Windows To Go.

You should still check for hadware keyloggers (follow the keyboard cable to the motherboard and look for anything plugged in between both).

PS/2 Hardware Keylogger

Something I did when using public computers that I didn't trust, was to type broken passwords, that is: If you password is "password", type "word" then with your mouse click back to the beginning and type "pass". If the keys are being logged as plain-text, which it usually is, instead of seeing password[enter], the spy will see: word[left-click]pass[enter]

Although going a little further than the scope of the question, a password manager will allow you to use more secure passwords (with a master password) meaning you won't be typing as much sensitive information into unsafe computers. Do be mindful that your weakest point is then your master password which should be changed regularly.

Alastair
  • 141
  • 3
  • 2
    If the hardware or firmware have been messed with a live system on a USB drive may not help you. – Samuel Edwin Ward Nov 05 '12 at 16:37
  • E.g. one of these: http://acehackware.com/products/keygrabber-usb-keylogger – Zac B Nov 05 '12 at 19:08
  • @Samuel Edwin Ward Very true! I thought about including it but left it out. Added details including h/w-keyloggers. – Alastair Nov 06 '12 at 00:59
  • WARNING: This is too poor: from `word[lckick]pass[ret]`, you could build `wordpass`, `worpassd`, `wopassrd`, `wpassord` or `password`. This lead only 4 unsucsess tries max. This method is a good practice, but you could use more and more `clicks`, from another window, like a terminal (see `man ascii`) or notepad (under window), even selecting some of already pasted chars before a Nth `past`, overwritting some part... In this manner, keylogger will see only `lclick` `ctrl-C` `ctrl-V` with a lot of repetition, where that number may be longer than real password length. – F. Hauri - Give Up GitHub Nov 06 '12 at 07:52
  • @f-hauri Yes, it was just an example; I'm not advocating the use of ```password``` as a password. =P Those are good suggestions regarding ascii. I've used it before for on-page e-mail obfuscation (from scrapers). Something I also do is using *NIX middle-click paste to quickly select and paste random characters from a page. **That** would be tricky for someone reading logs to decipher: ```[lclick][mclick]``` – Alastair Nov 07 '12 at 01:51
3

All the solutions proposed have some loopholes:

1) With two factor authentication your are still, in the end, logging in. Someone could capture screenshots of your personal data (bank account) unbeknownst to you.

2) Even when booting from a USB live stick, someone could have set an hardware keylogger on the back (or inside) the PC.

A two-factor authentication+live USB stick could be ok for less sensitive data, but probably is not worth the hassle.

zakk
  • 155
  • 1
3

Google had a cool QR-code + smartphone solution, but apparently that was an experiment and is now closed..

You could go to accounts.google.com/sesame and it would display a QR code, which you could scan with your phone. Then you could login on your phone, and the session on your computer would be authenticated.

Required 0 inputting of sensitive data into the suspect computer, I thought it was pretty neat.

Don't know why they closed it down though. But if you're interested in developing a secure login to your web service that might be an idea.

Dean Rather
  • 131
  • 3
  • 2
    But if the computer was compromised, that could send you to a fake site, and the QR code could send you to a fake site on your phone. I guess if you had to scan the code in a dedicated app on the phone it would work. – asmeurer Nov 05 '12 at 05:43
3

First I open Notepad, and type the following:

1234567890
qwertyuiop
asdfghjkl
zxcvbnm

Needless to say, it goes pretty fast to do so. Then I use <CTRL>+<C> and <CTRL>+<V> to compose my password in the password field (which is hopefully blanked out with *****).

I have now thwarted most keyloggers that an amateur ill-intentioned cybercafe-owner may have deployed. Don't compose in the Notepad itself because a screen capture app could get it.

Far from perfect (see the other answers) but at least you have an entry-level solution without any kind of preparation.

Hugues Fontenelle
  • 139
  • 3
  • 3
    This is good protection against a hardware keylogger or against low-level-only software keyloggers. But “keylogger” malware often records everything that's entered in a browser form, especially if it's marked as a password. – Gilles 'SO- stop being evil' Nov 05 '12 at 13:04
  • 1
    Combining this strategy with booting from a USB stick should be reasonably secure against keyloggers. You still run the risk of hardware video loggers, so you'll need to check for them or not access secure data. – dhasenan Nov 06 '12 at 04:39
  • this is not secure. it is possible to capture the data using 3 or 4 line of java script code – open source guy Nov 06 '12 at 17:15
2

A simple solution: don't do it. Only login to sites that have 2 factor authentication.

Jeff Ferland
  • 38,170
  • 9
  • 94
  • 172
Krishna Chaitanya
  • 61
  • 1
  • 4
2

My working solution is a Linux Live on USB. For this, really, I like Debian's Live Helper that let you customize your live key as you need.

I have some habits to keep this safe:

  1. I've never insterted such a USB key in a running untrusted system!!!
  2. I always cut power off for at least 30 seconds before I insert the key on an unknown PC
  3. If I'm not completely sure to have 1'st BIOS access, I shut power off again
  4. If I'm not completely sure to have 1'st BIOS access after many tries, I don't.
  5. If the environment is clearly hostile (may hold hard keylogger and/or hard video logger), I don't!
  6. All sensitive data on my key is encrypted and asks for a password on boot (new version ask for pass only when mounted from second user on persistent filesystem).
  7. I keep in my pocket several of these Live USB keys. (For Linux promotion; Only one is mine, but all are trusted)
  8. An old USB key (too small, poor look or to slow) holding sensitive data is destroyed physically, never re-used.
  9. Environment considerations are important too. (no glass behind, but preferably behind walls or even in the open with full view to what's around)...

Some of my friends tell me I'm paranoid, but I'm not!

F. Hauri - Give Up GitHub
  • 4,616
  • 2
  • 20
  • 32
  • Why not just have a hardware write-protected USB key? and a second USB key for holding data. – Lie Ryan Nov 05 '12 at 23:04
  • I don't personely know hardware constructors, so I could not trust basical hardware (some not so recent news about low-cost FPGAs, holding back-doors seem confirm my opinion). In using cryptos from open-source *than* writting crypted datas on ANY hardware, I could trust (as I know and as long no news, even about cantical physic, would change de stat of knowledge...;) the hardware in the same manner. – F. Hauri - Give Up GitHub Nov 05 '12 at 23:16
  • Fair enough, now I'm officially crowning you paranoid ;) – Lie Ryan Nov 05 '12 at 23:23
  • Advantage: I could buid a strong secured (with checks and signs for everything) and trusted USB Key from a 2$ basic hardware. (One of my first was an Ipod shuttle with 512Mo ;). The only thing I look now, before buying new such keys is **read and write speed**. – F. Hauri - Give Up GitHub Nov 05 '12 at 23:25
2

There are certain different types of different risk factors when you are connecting from an unsecure computer ( in this case a PC with public access). Most commons are these:

  • Keyloggers: A certain type of software that will log every key pressed on your keyboard and send these logs to various locations.
  • Network Sniffing: On an unsecure network or with a router which has it' monitoring mode on, your requests and server's responses can be observed and altered once you get the reach of them. Leading to session hijacks and middle-man attacks ( in certain situation when the criteria's are met).

To avoid such threats and minimize your risk,

  • Against keyloggers try to use virtual, onscreen keyboards for important credentials.
  • Use secure protocols with CA provided SSLs. This is important since certificates can be provided at will therefore paying attention to cercificate owner and if it's registered or not by a CA has great importance.
  • Disable cookies and scipts to avoid leaving digital residue of your data. If it's required to have cookies, besure to delete then after your usage.
Alishex
  • 21
  • 1