Arvind Narayanan's journal - How to protect your password from keyloggers [entries|archive|friends|userinfo]

How to protect your password from keyloggers [Feb. 8th, 2010|11:49 am]
Previous Entry Add to Memories Share Next Entry
[Tags|, , , , , ]

Yesterday the Interwebs got to point and laugh at a hilarious customer service e-mail from American Express on password security. Every single paragraph in it was either wrong, or worse, not even wrong — it didn't rise to the level of coherence where the words 'correct' and 'wrong' are applicable.

There is one particular sentence that I want to talk about:
We discourage the use of special characters because hacking softwares can recognize them very easily.
Presumably, this means that keyloggers can detect that you're typing a password by observing that the sequence of keypresses has high entropy. I believe this is an actual technique that's used to identify password-like strings from a disk dump (although I'm unable to find the reference right now). However, I didn't think it made sense in the keylogging context, and indeed someone who says he's looked at a lot of keylogger data confirms that detecting when a password is typed is fairly trivial, regardless of what kind of characters your password uses.

So is there any hope for those of us who need to login in a context where we suspect there might be a keylogger afoot, such as an Internet cafe or grandma's computer? Dinei Florencio and Cormac Herley of Microsoft Research discovered a simple trick to do just that. The idea is not to make it hard to detect when you're typing your password, but rather what the password is. I will let them describe it (with minor edits for brevity):
The trick lies in the fact that keyloggers employ very low level OS calls. The keylogger sees everything, but it doesn’t understand what it sees. The browser also sees everything, but it doesn’t use everything that it sees: it does not know what to do with keys that are typed anywhere other than the text entry fields, and lets them fall on the floor. The keylogger has no easy way to determine which keys are used by the browser and which fall on the floor.

Between successive keys of the password we will enter random keys. The string that the keylogger receives will contain the password, but embedded in so much random junk that discovering it is infeasible. We are ex-ploiting the difficulty from the OS layer of determining how the GUI of an an application handles events.
Got it? All you need to do is: after typing each password character, click to focus away from the password field, type a random character or two, then focus back to the password field.

The authors point out that: 1. all current keyloggers fail against this technique. 2. if everybody started doing this (which they won't), then keyloggers will find a way around it. I can think of many workarounds, but they are all difficult to implement (and have counter-workarounds). The strategy here is not to outrun the bear, but to outrun the slowest person. It simply isn't worth malware authors' time to go after the 1% (or less) of people who will use this. I have benefited from this technique myself when logging in from other people's computers (not that I don't trust them, I don't trust their OS :-)

Let me end by pointing out that this kind of research is essentially unpublishable in the scientific community (indeed, it was 'pushlished' as a poster). Ironically, it is more useful to society than the vast majority of published papers. Of course, I'm not saying that journals and conferences should start accepting 'tricks' in place of deep reseach. Rather, there should be a way of measuring and rewarding impact outside of the monomaniacal publication/citation-count system. (For those of you who are already tired of me talking about this, I'm going to be harping on it for a long time to come.)
LinkReply

Comments:
From: anonymousrex.myopenid.com
2010-02-08 08:07 pm (UTC)

A different (but possibly misguided) approach

(Link)

I was thinking about the same problem over on Stack Overflow one day (http://stackoverflow.com/questions/1997692/remote-login-in-a-browser). Unfortunately, no one took an interest in my idea and I still don't know how to implement it.

The solution you describe seems far easier and as effective ...
[User Picture]From: annamaryse
2010-02-08 08:26 pm (UTC)

(Link)

HARP ON... this was awesome
From: (Anonymous)
2010-02-08 08:43 pm (UTC)

It won't work

(Link)

Unfortunately keyloggers remember application to which input is sent. I.e. it will distinguish between keyboard input to iexplore and msword. So it will filter all typing to msword (bunch of input) since it is not relative (less interesting).

In your case you password will be splitted to several strings but still contain password.

Noise around keyboard input for the same application works
[User Picture]From: arvindn
2010-02-08 08:51 pm (UTC)

Re: It won't work

(Link)

Apparently you missed the part where I said they already tested the existing keyloggers and confirmed that it works. Also, why don't you read the post again -- nowhere does it say to give focus to different applications.
From: (Anonymous)
2010-02-08 09:54 pm (UTC)

Re: It won't work

(Link)

I've personally worked with and created key loggers (not what I do, but what I've done). Storing context (i.e. which application has focus) is vital to sorting out what information to track.
From: (Anonymous)
2010-02-08 10:46 pm (UTC)

Re: It won't work

(Link)

You can both be right. If we're talking about typing a PW into a web form, then clicking on a different tab would show as input to the same process.
[User Picture]From: arvindn
2010-02-08 10:51 pm (UTC)

Re: It won't work

(Link)

Wow, you're not even trying to listen to what I'm saying. That's great that you've created a keylogger yourself. Again, the point is not to give focus to different applications, but to give focus to different areas on the same web page within the same application.
From: (Anonymous)
2010-02-08 11:02 pm (UTC)

Re: It won't work

(Link)

This is an old trick, and some software based keyloggers do account for it. However, it is pretty effective, and I recommend it.
From: (Anonymous)
2010-02-09 07:16 pm (UTC)

Re: It won't work

(Link)

If you're using a keylogger that's GUI aware, it shouldn't matter if you're in the same app, same window, same tab, or whatever. The context of each GUI element (text box, window, button, icon, scrollbar) is unique, and generally available to the OS, which means keypresses could be logged against each GUI id. If your app is drawing its entire screen every time this may be different, but that's rare (I don't know what FLASH reveals to the OS, for example).

That said, if the keylogger is dumb, or uses BIOS or system calls rather than being GUI aware, then, great, go confuse it. The article indicates that this would be effective against most keyloggers, and I've got no reason to disbelieve them, but I expect the keyloggers could write workarounds rather quickly.
[User Picture]From: rfc9000
2010-02-08 09:00 pm (UTC)

(Link)

If this hack can protect your password from keyloggers, then pulling out is an acceptable birth control technique

Personally, whenever I login from an unsecure place (like a cyber cafe or a public computer), I make sure I change my password(s) once I'm back to my own computer.
[User Picture]From: arvindn
2010-02-08 11:04 pm (UTC)

(Link)

Heh. Your <sarcasm> tag showed up in my notification email but since you didn't escape your brackets it got lost in the html. I assume you didn't intend that to happen.
From: (Anonymous)
2010-02-08 09:29 pm (UTC)

(Link)

Can't the key loggers detect mouse clicks as well? (If so, going outside the text box and coming back can be detected)

I have seen that many websites now use onscreen keyboards where you have to enter the password using mouse clicks. How secure is that?
[User Picture]From: arvindn
2010-02-08 09:48 pm (UTC)

(Link)

"Can't the key loggers detect mouse clicks as well? (If so, going outside the text box and coming back can be detected)"

Yes, that was one of the examples of workaround and counter-workaround I had in mind. If you strictly alternate outside-the-box and inside-the-box clicks, then the keylogger can tell where you are. But if you do n iterations of outside-the-box for every iteration of inside-the-box (n = 1/2/3, randomly picked), then you will still beat the keylogger.

"I have seen that many websites now use onscreen keyboards where you have to enter the password using mouse clicks. How secure is that?"

Good question. The paper discusses onscreen keyboards, but I didn't look at that part.
From: (Anonymous)
2010-02-08 09:29 pm (UTC)

I always use the mouse as well

(Link)

I always make it a habit to type random numbers or letters, select them with the mouse and type over them and repeat a few times. Sometimes I even copy and paste (with the mouse) parts over each other.
I then finally stumble across the correct password or card number. This method is an overkill but is a bit of a habit now.
From: (Anonymous)
2010-02-08 10:08 pm (UTC)

what could you do in case of "dos" / ssh windows

(Link)

Hi, do you have any idea how to thump keyloggers in case where you are loging in into your ssh account (you for example have a dos shell open)?
[User Picture]From: arvindn
2010-02-08 10:18 pm (UTC)

Don't use passwords!

(Link)

You should be using public key authentication with SSH, not passwords! It is both more convenient and more secure.
From: robmueller.myopenid.com
2010-02-08 10:17 pm (UTC)

(Link)

"all current keyloggers fail against this technique"

That's rubbish.

Running an email service (http://www.fastmail.fm), I see dropbox accounts that have data from keyloggers sent to them (we always close these if we find them).

I can tell you that in most cases, they would have got this fine. All the emails I've seen with keylogger data are streams of events including keyboard data, mouse clicks, focus changes, application launches, etc. It's not too hard to put the data back together.

On top of that, I've seen some which hook in at lower levels and include the data for IE form posts for pages with password fields (http and https), which completely defeats this approach without any reconstructing work.

Security through vague obscurity and hope is no security at all. The only true way to get security is having some one-time or two-factor approach.

Since we're well aware of this at FastMail, we implement one-time passwords, sms passwords, and yubikey authentication mechanisms. We also allow these to be setup as "restricted" logins. If you use one of these, then you can't delete anything in your account while logged in, so even if somehow your session is hijacked, while information can be taken, no damage can be done.
[User Picture]From: arvindn
2010-02-08 10:56 pm (UTC)

(Link)

"All the emails I've seen with keylogger data are streams of events including keyboard data, mouse clicks, focus changes, application launches, etc. It's not too hard to put the data back together."

I don't believe it. At least not in an automated way.

"On top of that, I've seen some which hook in at lower levels and include the data for IE form posts for pages with password fields (http and https), which completely defeats this approach without any reconstructing work."

Yes, that might be true. Do these hooks exist for other browsers? What about other OSes?

"Security through vague obscurity and hope is no security at all. The only true way to get security is having some one-time or two-factor approach."

Way to miss the point. If you need to log in from your girlfriend's computer, you don't say "Sorry babe. No can do. I need to have two factor authentication." Instead you do the best you can.
From: (Anonymous)
2010-02-09 08:55 pm (UTC)

(Link)

"Yes, that might be true. Do these hooks exist for other browsers? What about other OSes?"

Well, there's ZueS. It's a very common trojan, and it hooks IE and steals all your POSTs. There's also an addon for firefox. It is Windows only AFAIK.

'If you need to log in from your girlfriend's computer, you don't say "Sorry babe. No can do. I need to have two factor authentication." Instead you do the best you can.'

I'm not going to go for the obvious here, but my girlfriend and her family's machines are squeaky clean. I've taught them all about the terrible things that can happen if these programs get on there, and I make it a point to check their machines occasionally.

Also, logging into anything even remotely important on a public terminal is ridiculous. And yes, your email is just about as important as it gets.

I don't know if you realize this, but your tone is somewhat condescending which is probably why you're getting so many negative comments.

"Way to miss the point."
"I don't believe it. At least not in an automated way."

You don't know everything, try to keep that in mind.
[User Picture]From: arvindn
2010-02-09 09:16 pm (UTC)

(Link)

"I don't know if you realize this, but your tone is somewhat condescending which is probably why you're getting so many negative comments."

Ok. I believe you. I apologize.

Unfortunately, most of the time I have no idea how I'm coming across online except once in a while when someone tells me I'm being a dick.
From: (Anonymous)
2010-02-08 10:46 pm (UTC)

Keypass Two-Channel Auto-Type Obfuscation

(Link)

Keypass Two-Channel Auto-Type Obfuscation http://keepass.info/help/v2/autotype_obfuscation.html
From: (Anonymous)
2010-02-09 12:18 am (UTC)

OTP

(Link)

Seriously, if this is such a problem, use one-time-passwords. They are a much better solution than this and if you happen to be using linux, tey can be integrated into everything easily.
[User Picture]From: arvindn
2010-02-09 02:53 am (UTC)

Re: OTP

(Link)

Great, another comment that misses the point and provides a solution to a different problem.

Note that the article is titled "How to protect your password from keyloggers" and not "How your bank could have deployed a better authentication system."

Edited at 2010-02-09 03:03 am (UTC)
[User Picture]From: ephermata
2010-02-09 02:40 am (UTC)

(Link)

Tech transfer & internal consulting in industrial research is one way to recognize these kinds of contributions (without any comment on whether that's happening or not in this case). That has its own ups and downs, but it does offer a way to encourage efforts that are not well recognized by traditional academic publication.
[User Picture]From: arvindn
2010-02-09 03:05 am (UTC)

(Link)

Good point. Could you elaborate on what you mean by 'tech transfer'? Do you mean commercialization of research?
From: (Anonymous)
2010-02-09 07:10 am (UTC)

Alternative approach

(Link)

Still more difficult for a keylogger to collect: mouse interactions.

Open a text editor. Type "The quick brown fox jumped over the lazy dog" (or whatever your preference is), then cut and paste the characters of your password from there. Good luck collecting that with a keylogger.

Worry more about the oncoming insufficiency of passwords as an authentication token.
[User Picture]From: arvindn
2010-02-09 07:19 am (UTC)

Re: Alternative approach

(Link)

Cute.
[User Picture]From: sajith
2010-02-09 01:02 pm (UTC)

Re: Alternative approach

(Link)

Remember the threatening letter Sir Henry Baskerville receives, in The Hound of Baskerville? Sender had cut and pasted words from a newspaper. This kind of reminds of that...

What prevents an attacker from snooping the clipboard?
From: (Anonymous)
2010-02-09 09:24 am (UTC)

time based logging

(Link)

If the keyloggers logs just keys + time, it will be much more effective.
From: http://www.google.com/profiles/matthewkwright
2010-02-11 01:06 pm (UTC)

academic publishing?

(Link)

"Ironically, it is more useful to society than the vast majority of published papers."

Really? I don't mean to suggest that most published papers are making a major contribution to society, but even if this trick beats most keyloggers in practice (sure, you're outrunning the slow, not the bear) it's probably not going to help that many people. If it takes two dozen papers to come up with a more general solution that lots of people can use and gets built into OSes or browsers (makes everybody faster than the bear), then I would argue that each of those papers is a much better contribution than this poster. Of course, if this was really a good solution, the researcher *could* extend the work to something publishable -- at minimum with a user study.

In general, I would argue that there is very little in this world that can't be published if it has even limited potential utility. The requirement is that you demonstrate, with some amount of rigor (there is not a terribly high bar in our field), some of the properties that you claim (not all). Making something that actually gets used in the real world? Now that's a pretty high bar.
[User Picture]From: arvindn
2010-02-11 06:26 pm (UTC)

Re: academic publishing?

(Link)

What I meant is that many, perhaps most papers end up proposing something that never gets adopted. Sure, you can't know except in hindsight if something will be adopted. But by being useful to even a fraction of users, this paper has had more of an impact than them.

"In general, I would argue that there is very little in this world that can't be published if it has even limited potential utility."

I find this to be patently false. Just a couple of days ago Dan and I were discussing how much time to spend on something that is unpublishable but has great potential to help the world.

You missed one major requirement of the publication process: cleverness, euphemistically termed 'novelty' in peer review. This ends up being an issue with almost every single paper in my experience: how to make something clever enough to be publishable. Unfortunately making something clever usually makes it more complex which actively hurts the real-world usefulness.

Edited at 2010-02-11 06:27 pm (UTC)