How Can I Protect My Password When Using Public Access?

[Robski]

Basically I want to use internet banking and paypal whilst abroad, which will mean using public access PC's or a third party internet connection.

How can I protect my password against getting hijacked and my bank account cleared out?

Ok I have a basic idea, but it is just that, basic.

If I have a document on my computer or on a portable drive that contains my password, it could be any word in any innocuous article, and I copy & paste that into the password window, will that stop my password being detected by whatever spyware that may be lurking?

I have an Advent/MSI wind that I will be using, great machine and hopefully not too conspicuous when I'm out in the boonies,

however if that should get 'lost' I wouldn't want any traces of my password or key pattern left on it.

As I say that's pretty basic, there must be a more sophisticated way of doing things, perhaps a programme held on a portable flash drive that can help conceal my password and erase any trace of it after.

Any advice greatfully appreciated.

[Jingthing]

Picking up pasted in data is a common feature of many keyloggers. So, pasting in previously keyed items is not secure.

Edited October 24, 2008 by Jingthing

[think_too_mut]

Would not your bank have a "virtual keyboard" for log in?

That way you click, not type, the input is not consolidated in 1 string.

3 banks I have accounts with have that feature.

[DaveBKK]

Copying and pasting alone will not work. Also using the onscreen built-in windows keyboard will not work, as that routes through the keyboard driver (which the keylogger monitors)

But a basic trick you can use is to embed your password within a group of characters:

abfiahriaPASSanbbWORDbfainbfia

Paste that into the password box, and then highlight and cut the beginning, middle and end portions.

Note, your password must be random, else a snooper might figure out logically what your password is.

[kalaminsa]

Copying and pasting alone will not work. Also using the onscreen built-in windows keyboard will not work, as that routes through the keyboard driver (which the keylogger monitors)

But a basic trick you can use is to embed your password within a group of characters:

abfiahriaPASSanbbWORDbfainbfia

Paste that into the password box, and then highlight and cut the beginning, middle and end portions.

Note, your password must be random, else a snooper might figure out logically what your password is.

Anything that you send from the PC can easily be snooped ...

[sjaak327]

Google vista PE or Bart PE (for XP), basically Vista on a USB stick, providing that the internet shop has fairly recent computers, you could boot from that USB stick, this way you can be sure that there's no keylogger running in the operating system.

Vista PE, can be loaded with both IE7 and Opera fairly easy.

Regarding snooped data, surely your bank is using ssl, which encrypts the data you send over the wire. For added security, you could setup a vpn connection.

[torrenova]

If you copy and paste a string which has your password in it but delete by placing your cursor in the right place and not using the back or delete buttons it should not know which bit you deleted I presume ?

To be honest, I'd worry more about the people who have your money and inform them you will be away and using public computers. They should have more than enough security at their end.

[Jingthing]

If you copy and paste a string which has your password in it but delete by placing your cursor in the right place and not using the back or delete buttons it should not know which bit you deleted I presume ?

To be honest, I'd worry more about the people who have your money and inform them you will be away and using public computers. They should have more than enough security at their end.

I think most keyloggers would pick that up as well, the ones that record copy/paste data anyway, and that is not a hard thing to keylog.

[cobra]

To be honest, I'd worry more about the people who have your money and inform them you will be away and using public computers. They should have more than enough security at their end.

Agree,

As the complications of password masking schemes increase, the likelihood of failed log-ins will increase.

Usually more than two or three failed attempts per session will lock you out, necessitating re-verification, password reset, and /or interfacing in some manner with the institution, all adding delay and frustration.

The threat of key logging and other data harvesting is over blown, if your really worried about it after using a public pc (windows machine) clear the browser temp cache then power it down, normal shutdown will flush the paging file, etc.

How to Clear the Windows Paging File at Shutdown

View products that this article applies to.

Article ID : 182086

Last Review : February 27, 2007

Revision : 3.3

This article was previously published under Q182086

For a Microsoft Windows XP version of this article, see 314834 (http://support.microsoft.com/kb/314834/EN-US/).

SUMMARY

This article documents the method for clearing the Windows paging file (Pagefile.sys) during the shutdown process, so that no unsecured data is contained in the paging file when the shutdown process is complete.

Some third-party programs may temporarily store unencrypted (plain-text) passwords or other sensitive information in memory. Because of Windows virtual memory architecture, this information may be present in the paging file.

Although clearing the paging file is not a suitable substitute for physical security of a computer, you may want to increase the security of data on a computer while Windows is not running.

Edited October 24, 2008 by cobra

[JSixpack]

Last Pass will securely remember all your passwords, login for you with a click, and give you an onscreen keyboard to thwart keyloggers. Very convenient:

https://lastpass.com/

It has a portable version.

[tutone]

I've never had a problem. Make sure your log-in page is secure (https or ssl encryption). Make sure you log out when finished and you can also clear the history when you are finished.

[Crushdepth]

Download Password safe. Generates long random passwords for your and stores them in encrypted form. You just have to remember the password to the 'safe'. You can install it on a USB stick. It will also clear the clipboard automatically.

Best not to use internet cafes for anything important though.

[bartender100]

My bank ask's 3 different random questions, with only certain letters from each answer, nobody could work that out, i thought that most use a similar format, change your bank. Paypal is not so secure.

[sjaak327]

My bank has a very simple system, you login using a 8 digit code, which is generated by a device resembling a calculator, the calculator needs your ATM card with pincode.

the calculated code is good for one time and is useless for login the second time. So unless you loose both the calculator and your ATM card (+pin), there is no security issue. (and of course make sure you have a pishing filter running into your browser )

Edited October 25, 2008 by sjaak327

[waveydavey]

Probably safest to avoid the internet and stick to telephone banking