I was thinking about the same problem over on Stack Overflow one day (http://stackoverflow.com/questions/1997692/remote-login-in-a-browser). Unfortunately, no one took an interest in my idea and I still don't know how to implement it.

The solution you describe seems far easier and as effective ...

(Reply) (Thread)

HARP ON... this was awesome

(Reply) (Thread)

Unfortunately keyloggers remember application to which input is sent. I.e. it will distinguish between keyboard input to iexplore and msword. So it will filter all typing to msword (bunch of input) since it is not relative (less interesting).

In your case you password will be splitted to several strings but still contain password.

Noise around keyboard input for the same application works

(Reply) (Thread)

Apparently you missed the part where I said they already tested the existing keyloggers and confirmed that it works. Also, why don't you read the post again -- nowhere does it say to give focus to different applications.

(Reply) (Parent) (Thread)

I've personally worked with and created key loggers (not what I do, but what I've done). Storing context (i.e. which application has focus) is vital to sorting out what information to track.

(Reply) (Parent) (Thread)

You can both be right. If we're talking about typing a PW into a web form, then clicking on a different tab would show as input to the same process.

(Reply) (Parent) (Thread)

Wow, you're not even trying to listen to what I'm saying. That's great that you've created a keylogger yourself. Again, the point is not to give focus to different applications, but to give focus to different areas on the same web page within the same application.

(Reply) (Parent) (Thread)

This is an old trick, and some software based keyloggers do account for it. However, it is pretty effective, and I recommend it.

(Reply) (Parent) (Thread)

If you're using a keylogger that's GUI aware, it shouldn't matter if you're in the same app, same window, same tab, or whatever. The context of each GUI element (text box, window, button, icon, scrollbar) is unique, and generally available to the OS, which means keypresses could be logged against each GUI id. If your app is drawing its entire screen every time this may be different, but that's rare (I don't know what FLASH reveals to the OS, for example).

That said, if the keylogger is dumb, or uses BIOS or system calls rather than being GUI aware, then, great, go confuse it. The article indicates that this would be effective against most keyloggers, and I've got no reason to disbelieve them, but I expect the keyloggers could write workarounds rather quickly.

(Reply) (Parent) (Thread)

If this hack can protect your password from keyloggers, then pulling out is an acceptable birth control technique

Personally, whenever I login from an unsecure place (like a cyber cafe or a public computer), I make sure I change my password(s) once I'm back to my own computer.

(Reply) (Thread)

Heh. Your <sarcasm> tag showed up in my notification email but since you didn't escape your brackets it got lost in the html. I assume you didn't intend that to happen.

(Reply) (Parent) (Thread)

Can't the key loggers detect mouse clicks as well? (If so, going outside the text box and coming back can be detected)

I have seen that many websites now use onscreen keyboards where you have to enter the password using mouse clicks. How secure is that?

(Reply) (Thread)

"Can't the key loggers detect mouse clicks as well? (If so, going outside the text box and coming back can be detected)"

Yes, that was one of the examples of workaround and counter-workaround I had in mind. If you strictly alternate outside-the-box and inside-the-box clicks, then the keylogger can tell where you are. But if you do n iterations of outside-the-box for every iteration of inside-the-box (n = 1/2/3, randomly picked), then you will still beat the keylogger.

"I have seen that many websites now use onscreen keyboards where you have to enter the password using mouse clicks. How secure is that?"

Good question. The paper discusses onscreen keyboards, but I didn't look at that part.

(Reply) (Parent) (Thread)

I always make it a habit to type random numbers or letters, select them with the mouse and type over them and repeat a few times. Sometimes I even copy and paste (with the mouse) parts over each other.
I then finally stumble across the correct password or card number. This method is an overkill but is a bit of a habit now.

(Reply) (Thread)

Hi, do you have any idea how to thump keyloggers in case where you are loging in into your ssh account (you for example have a dos shell open)?

(Reply) (Thread)

You should be using public key authentication with SSH, not passwords! It is both more convenient and more secure.

(Reply) (Parent) (Thread)

"all current keyloggers fail against this technique"

That's rubbish.

Running an email service (http://www.fastmail.fm), I see dropbox accounts that have data from keyloggers sent to them (we always close these if we find them).

I can tell you that in most cases, they would have got this fine. All the emails I've seen with keylogger data are streams of events including keyboard data, mouse clicks, focus changes, application launches, etc. It's not too hard to put the data back together.

On top of that, I've seen some which hook in at lower levels and include the data for IE form posts for pages with password fields (http and https), which completely defeats this approach without any reconstructing work.

Security through vague obscurity and hope is no security at all. The only true way to get security is having some one-time or two-factor approach.

Since we're well aware of this at FastMail, we implement one-time passwords, sms passwords, and yubikey authentication mechanisms. We also allow these to be setup as "restricted" logins. If you use one of these, then you can't delete anything in your account while logged in, so even if somehow your session is hijacked, while information can be taken, no damage can be done.

(Reply) (Thread)

"All the emails I've seen with keylogger data are streams of events including keyboard data, mouse clicks, focus changes, application launches, etc. It's not too hard to put the data back together."

I don't believe it. At least not in an automated way.

"On top of that, I've seen some which hook in at lower levels and include the data for IE form posts for pages with password fields (http and https), which completely defeats this approach without any reconstructing work."

Yes, that might be true. Do these hooks exist for other browsers? What about other OSes?

"Security through vague obscurity and hope is no security at all. The only true way to get security is having some one-time or two-factor approach."

Way to miss the point. If you need to log in from your girlfriend's computer, you don't say "Sorry babe. No can do. I need to have two factor authentication." Instead you do the best you can.

(Reply) (Parent) (Thread)

"Yes, that might be true. Do these hooks exist for other browsers? What about other OSes?"

Well, there's ZueS. It's a very common trojan, and it hooks IE and steals all your POSTs. There's also an addon for firefox. It is Windows only AFAIK.

'If you need to log in from your girlfriend's computer, you don't say "Sorry babe. No can do. I need to have two factor authentication." Instead you do the best you can.'

I'm not going to go for the obvious here, but my girlfriend and her family's machines are squeaky clean. I've taught them all about the terrible things that can happen if these programs get on there, and I make it a point to check their machines occasionally.

Also, logging into anything even remotely important on a public terminal is ridiculous. And yes, your email is just about as important as it gets.

I don't know if you realize this, but your tone is somewhat condescending which is probably why you're getting so many negative comments.

"Way to miss the point."
"I don't believe it. At least not in an automated way."

You don't know everything, try to keep that in mind.

(Reply) (Parent) (Thread)

"I don't know if you realize this, but your tone is somewhat condescending which is probably why you're getting so many negative comments."

Ok. I believe you. I apologize.

Unfortunately, most of the time I have no idea how I'm coming across online except once in a while when someone tells me I'm being a dick.

(Reply) (Parent) (Thread)

Keypass Two-Channel Auto-Type Obfuscation http://keepass.info/help/v2/autotype_obfuscation.html

(Reply) (Thread)

Seriously, if this is such a problem, use one-time-passwords. They are a much better solution than this and if you happen to be using linux, tey can be integrated into everything easily.

(Reply) (Thread)

Great, another comment that misses the point and provides a solution to a different problem.

Note that the article is titled "How to protect your password from keyloggers" and not "How your bank could have deployed a better authentication system."

Edited at 2010-02-09 03:03 am (UTC)

(Reply) (Parent) (Thread)

Tech transfer & internal consulting in industrial research is one way to recognize these kinds of contributions (without any comment on whether that's happening or not in this case). That has its own ups and downs, but it does offer a way to encourage efforts that are not well recognized by traditional academic publication.

(Reply) (Thread)

Good point. Could you elaborate on what you mean by 'tech transfer'? Do you mean commercialization of research?

(Reply) (Parent) (Thread)

Still more difficult for a keylogger to collect: mouse interactions.

Open a text editor. Type "The quick brown fox jumped over the lazy dog" (or whatever your preference is), then cut and paste the characters of your password from there. Good luck collecting that with a keylogger.

Worry more about the oncoming insufficiency of passwords as an authentication token.

(Reply) (Thread)

Cute.

(Reply) (Parent) (Thread)

Remember the threatening letter Sir Henry Baskerville receives, in The Hound of Baskerville? Sender had cut and pasted words from a newspaper. This kind of reminds of that...

What prevents an attacker from snooping the clipboard?

(Reply) (Parent) (Thread)

If the keyloggers logs just keys + time, it will be much more effective.

(Reply) (Thread)

"Ironically, it is more useful to society than the vast majority of published papers."

Really? I don't mean to suggest that most published papers are making a major contribution to society, but even if this trick beats most keyloggers in practice (sure, you're outrunning the slow, not the bear) it's probably not going to help that many people. If it takes two dozen papers to come up with a more general solution that lots of people can use and gets built into OSes or browsers (makes everybody faster than the bear), then I would argue that each of those papers is a much better contribution than this poster. Of course, if this was really a good solution, the researcher *could* extend the work to something publishable -- at minimum with a user study.

In general, I would argue that there is very little in this world that can't be published if it has even limited potential utility. The requirement is that you demonstrate, with some amount of rigor (there is not a terribly high bar in our field), some of the properties that you claim (not all). Making something that actually gets used in the real world? Now that's a pretty high bar.

(Reply) (Thread)

What I meant is that many, perhaps most papers end up proposing something that never gets adopted. Sure, you can't know except in hindsight if something will be adopted. But by being useful to even a fraction of users, this paper has had more of an impact than them.

"In general, I would argue that there is very little in this world that can't be published if it has even limited potential utility."

I find this to be patently false. Just a couple of days ago Dan and I were discussing how much time to spend on something that is unpublishable but has great potential to help the world.

You missed one major requirement of the publication process: cleverness, euphemistically termed 'novelty' in peer review. This ends up being an issue with almost every single paper in my experience: how to make something clever enough to be publishable. Unfortunately making something clever usually makes it more complex which actively hurts the real-world usefulness.

Edited at 2010-02-11 06:27 pm (UTC)

(Reply) (Parent) (Thread)