Jump to content
You are not logged in ▶️ Click to sign-up or login ×

Prevent Keyloggers From Grabbing Your Passwords

george

By george
in IT and Computers

 Share

Recommended Posts

george Legendary Member

george

Posted
Posted

Prevent keyloggers from grabbing your passwords

Strong passwords are important, but even the best password won't keep you safe from keyloggers — hardware and software that's designed to secretly record your keystrokes.

Fortunately, there's a way you can enter sensitive data so it's extremely difficult for snoops to extract your passwords from keylogger files.

In her Aug. 6 Top Story, WS contributing editor Becky Waring reported that Google's Gmail service allows hackers to try to guess your password 1,200 times per day. She provided some useful tips for making strong passwords that are easy to remember but hard to crack.

The bad news? Even the strongest passwords can be recorded by keyloggers. These are software and hardware products designed to capture computer events and store them in a log file.

Keyloggers can have legitimate uses in business, or they can be perverted into collecting passwords for identity theft. For more information on how these products work, see my Oct. 9, 2008 review of free software keyloggers.

Windows' On-Screen Keyboard app is also logged

If you're using a computer you aren't sure is keylogger-free, how do you protect any passwords to sensitive Web accounts you may need to access? A reader named Kenneth recently submitted the following suggestion:

* "I use a simple existing tool in Windows called osk.exe (On-Screen Keyboard). This program, as you may know, resides in the C:\WINDOWS\system32 directory, but there's no shortcut or link to it, so most people don't know it exists! You can launch it by entering osk in the Run command.

"Anytime I need to log in to any sensitive sites (banking, etc.), I launch osk.exe first and use this on-screen keyboard to click and enter my user name and password, even on my own home computer. This way, I feel confident that my credentials can never be captured."

Kenneth's suggestion may be useful to prevent some types of hardware keyloggers from detecting signals from the physical keyboard. Unfortunately, the program provides no defense against software keyloggers. Windows' On-Screen Keyboard sends information to applications as keystrokes, just as though you'd pressed the keys on a keyboard.

The first keylogger program I tested with the OSK workaround — All in One Keylogger from RelyTec — easily captured my keystrokes as I signed in to a Web site. (For more information about the All in One program, see the vendor's site.)

Holes in anti-keylogging software protection

Another alternative that's often touted to protect your passwords is to use anti-keylogging software. The Antispy Software site lists several such products, but I can't vouch for them.

Anti-keylogging software — even if it were effective in its stated mission — wouldn't prevent your password from being intercepted by a hardware keylogger. The sad fact is, if a keylogger is deployed effectively, you can't detect whether a public or unsecured computer has a hardware or software keylogger — or any keylogger at all, for that matter.

The universal defense against password snoops

Your best defense is not to use any untrusted computer to sign in to any site that contains banking or sensitive personal information. When you simply must take a chance on using a random PC, however, you can minimize the risk — if not eliminate it.

Security blogger Ian Saxon publishes an approach that may not be 100% foolproof but should provide some reasonable protection when entering passwords. Writing on his Defending the Kingdom site, Saxon outlines what he calls the "revised Vesik method" for entering passwords:

* Step 1. Click in the password box and type three random characters, mixing upper and lower case, numbers, etc.

* Step 2. Use your mouse or the Shift and arrow keys to select the characters you just typed. Then type three more random characters or a portion of your password, replacing the characters you typed previously. (Mixing random characters with actual parts of the password makes it more difficult for keyloggers to identify your password.)

* Step 3. Repeat steps 1 and 2 a few times. The more often you repeat the process, the harder it will be for an intruder to discern your password when examining the keylogger file.

* Step 4. Click to the left or right of your password segment and follow steps 1 to 3 to add a few more characters.

* Step 5. Repeat the process, adding a few more characters of your password on each cycle until your entire password is in the password box. Then sign in to the site.

This procedure clutters the keylogger's log file with a series of click events and characters. There's no easy way for the intruder to know which characters are your password and which are random.

The key is to select and gradually overtype gibberish characters with your actual password characters. Don't simply type some garbage, backspace over it, and then enter your real password. Most keyloggers compensate for backspacing but can't keep track of characters you select and overtype.

As Saxon points out, this method isn't foolproof. For example, if you use an untrusted PC to sign in to the same site twice — and you don't use identical gibberish each time — a hacker could compare the two captured keystroke sequences and possibly figure out which characters constitute your actual password.

However, most crooks are looking for "low-hanging fruit." They'll move on to another victim rather than spend a lot of time trying to filter your password out of the noise.

Of course, if we all used the Vesik method to obscure our passwords, hackers might develop keyloggers that track this kind of data entry, too. But most people don't conceal their passwords in noise, so keyloggers don't compensate for it.

If you have no choice but to sign in to a site on a PC you aren't sure of, protecting your password is a difficult problem with no perfect solution. Many software programs, such as RoboForm2Go, offer password-protection schemes that vary from the no-cost Vesik technique. WS senior editor Gizmo Richards recently reviewed these methods in an analysis at his Tech Support Alert site.

Just be aware that accessing the Internet using your own laptop — on which you run up-to-date antivirus software — protects your passwords better than using a public Internet terminal or a friend's PC.

-- windowssecrets.com 2009-09-10

Link to comment
Share on other sites
zzdocxx Gold Member

zzdocxx

Posted
Posted

Thank you, I know what you mean, where it says "https:" in the URL?

How about if it is not secure. For example, my hotmail account, the log in is not secure, just curious as to whether they could then read my email -- the pages don't appear to be secure either.

? ? ?

Thanks, not that big a deal really, but I always wondered about that when I was staying in a hotel.

:)

Link to comment
Share on other sites
stumonster Platinum Member

stumonster

Posted
Posted
Thank you, I know what you mean, where it says "https:" in the URL?

How about if it is not secure. For example, my hotmail account, the log in is not secure, just curious as to whether they could then read my email -- the pages don't appear to be secure either.

? ? ?

Thanks, not that big a deal really, but I always wondered about that when I was staying in a hotel.

:)

if it is not HTTPS the router and also anyone in the area sniffing wireless data will see it all in plain text - if you use gmail I would suggest logging in via https://mail.google.com

as for securely entering your password , you could open a page in another tab which has a lot of text , maybe a big wikipedia article and then copy and paste your password with letters obtained from it.

Link to comment
Share on other sites
Lopburi99 Gold Member

Lopburi99

Posted
Posted

I reluctantly had to stoop to the level of installing a keylogger on my first Thai wife's pc in the states when I was sure she was up to no good. OMG, I'll never forget first reading those emails she had been sending, one of which invited a guy into our own home while I was at work to "get to know her better".

The keyloggers definitely work. But think twice if you really want to use one.

Link to comment
Share on other sites
JAS21 Platinum Member

JAS21

Posted
Posted
Prevent keyloggers from grabbing your passwords

Strong passwords are important, but even the best password won't keep you safe from keyloggers — hardware and software that's designed to secretly record your keystrokes.

I use a programme called report..supplied free by the Royal Bank of Scotland...maybe worth a look... rbs.co.uk/repport ..I would welcome any comments on this programme

Link to comment
Share on other sites
Namphonny Senior Member

Namphonny

Posted
Posted (edited)
Prevent keyloggers from grabbing your passwords

Strong passwords are important, but even the best password won't keep you safe from keyloggers — hardware and software that's designed to secretly record your keystrokes.

I use a programme called report..supplied free by the Royal Bank of Scotland...maybe worth a look... rbs.co.uk/repport ..I would welcome any comments on this programme

I started using this programme - it is called Rapport - but found that it is not what it claims to be. I first downloaded it and installed it and thought that was enough but no, it sits there doing nothing until you start to program it with each individual web-site which is not only a pain but also slows the computer down considerably. In the end I got fed up and uninstalled it.

Edited by Namphonny
Link to comment
Share on other sites
mattcodes Advanced Member

mattcodes

Posted
Posted (edited)

As to protecting yourself from keyloggers if you ever find yourself at a vunerable or possibly vunerable public PC at thailand there are couple of steps you can do to help:

1) use the cursor keys (these are known as control keys) to move around a bit (many keyloggers fail to capture control keys). so if password is hellOnEarth type Earth then five left then Type On then four left then type Hll then two left and then type e (even if it does it might be enough to throw them at bit)

2) Combine the above by going to Programs --> Accessories and [Forget] and On screen keyboard to use a mix of clicking and keyboard presses. Most keyloggers do one or the other and since most are sending to bots they wont bother with mouse co-ordingates.

3) If suspected of being on a keylogged PC, changed passwords immediately when at a clean PC

4) Most thailand PC are infected with spyware before anyway explicitly installs a keylogger so don't bother unless its an emergency!

Edited by mattcodes
Link to comment
Share on other sites
CrossBones Silver Member

CrossBones

Posted
Posted (edited)
Prevent keyloggers from grabbing your passwords

Strong passwords are important, but even the best password won't keep you safe from keyloggers — hardware and software that's designed to secretly record your keystrokes.

Fortunately, there's a way you can enter sensitive data so it's extremely difficult for snoops to extract your passwords from keylogger files.

In her Aug. 6 Top Story, WS contributing editor Becky Waring reported that Google's Gmail service allows hackers to try to guess your password 1,200 times per day. She provided some useful tips for making strong passwords that are easy to remember but hard to crack.

The bad news? Even the strongest passwords can be recorded by keyloggers. These are software and hardware products designed to capture computer events and store them in a log file.

Keyloggers can have legitimate uses in business, or they can be perverted into collecting passwords for identity theft. For more information on how these products work, see my Oct. 9, 2008 review of free software keyloggers.

Windows' On-Screen Keyboard app is also logged

If you're using a computer you aren't sure is keylogger-free, how do you protect any passwords to sensitive Web accounts you may need to access? A reader named Kenneth recently submitted the following suggestion:

* "I use a simple existing tool in Windows called osk.exe (On-Screen Keyboard). This program, as you may know, resides in the C:\WINDOWS\system32 directory, but there's no shortcut or link to it, so most people don't know it exists! You can launch it by entering osk in the Run command.

"Anytime I need to log in to any sensitive sites (banking, etc.), I launch osk.exe first and use this on-screen keyboard to click and enter my user name and password, even on my own home computer. This way, I feel confident that my credentials can never be captured."

Kenneth's suggestion may be useful to prevent some types of hardware keyloggers from detecting signals from the physical keyboard. Unfortunately, the program provides no defense against software keyloggers. Windows' On-Screen Keyboard sends information to applications as keystrokes, just as though you'd pressed the keys on a keyboard.

The first keylogger program I tested with the OSK workaround — All in One Keylogger from RelyTec — easily captured my keystrokes as I signed in to a Web site. (For more information about the All in One program, see the vendor's site.)

Holes in anti-keylogging software protection

Another alternative that's often touted to protect your passwords is to use anti-keylogging software. The Antispy Software site lists several such products, but I can't vouch for them.

Anti-keylogging software — even if it were effective in its stated mission — wouldn't prevent your password from being intercepted by a hardware keylogger. The sad fact is, if a keylogger is deployed effectively, you can't detect whether a public or unsecured computer has a hardware or software keylogger — or any keylogger at all, for that matter.

The universal defense against password snoops

Your best defense is not to use any untrusted computer to sign in to any site that contains banking or sensitive personal information. When you simply must take a chance on using a random PC, however, you can minimize the risk — if not eliminate it.

Security blogger Ian Saxon publishes an approach that may not be 100% foolproof but should provide some reasonable protection when entering passwords. Writing on his Defending the Kingdom site, Saxon outlines what he calls the "revised Vesik method" for entering passwords:

* Step 1. Click in the password box and type three random characters, mixing upper and lower case, numbers, etc.

* Step 2. Use your mouse or the Shift and arrow keys to select the characters you just typed. Then type three more random characters or a portion of your password, replacing the characters you typed previously. (Mixing random characters with actual parts of the password makes it more difficult for keyloggers to identify your password.)

* Step 3. Repeat steps 1 and 2 a few times. The more often you repeat the process, the harder it will be for an intruder to discern your password when examining the keylogger file.

* Step 4. Click to the left or right of your password segment and follow steps 1 to 3 to add a few more characters.

* Step 5. Repeat the process, adding a few more characters of your password on each cycle until your entire password is in the password box. Then sign in to the site.

This procedure clutters the keylogger's log file with a series of click events and characters. There's no easy way for the intruder to know which characters are your password and which are random.

The key is to select and gradually overtype gibberish characters with your actual password characters. Don't simply type some garbage, backspace over it, and then enter your real password. Most keyloggers compensate for backspacing but can't keep track of characters you select and overtype.

As Saxon points out, this method isn't foolproof. For example, if you use an untrusted PC to sign in to the same site twice — and you don't use identical gibberish each time — a hacker could compare the two captured keystroke sequences and possibly figure out which characters constitute your actual password.

However, most crooks are looking for "low-hanging fruit." They'll move on to another victim rather than spend a lot of time trying to filter your password out of the noise.

Of course, if we all used the Vesik method to obscure our passwords, hackers might develop keyloggers that track this kind of data entry, too. But most people don't conceal their passwords in noise, so keyloggers don't compensate for it.

If you have no choice but to sign in to a site on a PC you aren't sure of, protecting your password is a difficult problem with no perfect solution. Many software programs, such as RoboForm2Go, offer password-protection schemes that vary from the no-cost Vesik technique. WS senior editor Gizmo Richards recently reviewed these methods in an analysis at his Tech Support Alert site.

Just be aware that accessing the Internet using your own laptop — on which you run up-to-date antivirus software — protects your passwords better than using a public Internet terminal or a friend's PC.

-- windowssecrets.com 2009-09-10

Buy a MAC or use Linux... avoid windows. There are many windows trojans you can attach to a file like a picture or movie, send it to someone and it secretly installs a keylogger and that program will email the keystrokes to the "hacker"

Dead easy to do, i used to wind my friends up when i was a kid using a program called subseven

These programs can do more than just record keystrokes the "hacker" can go through all your files and download them or change them, can even delete your windows directory.

These days there are "Bot Nets" which are like trojans but make your computer part of a network of infected computers. The hacker can do more or less what they want with your computer including it as a proxy server to commit fraud that looks like it was done by you. Your firewall wont puick them up because the infected computer initiated the TCPIP connection its not like someone is breaking INTO it. Typically the botnet will pretend to be a messenger program or skype or any other program that connects to the internet (there are many and you just wouldnt know you are infected)

Many of the pirate software packages you buy, especially pirated operating systems bought from places like Pantip are infected with Bot Nets.

AVOID USING WINDOWS

Its the only way to be sure.

Edited by CrossBones
Link to comment
Share on other sites
Veazer Silver Member

Veazer

Posted
Posted
Kaspersky virtual keyboard comes with their anti-virus and is specifically designed to avoid key loggers and very simple to use - activate with icon in Firefox next to search window.

Virtual keyboards are pretty worthless, many of the keyloggers take a low quality jpg with each mouse click. Then it's just a matter of scanning the screen caps for OSKs and watching what was clicked.

Link to comment
Share on other sites
mattcodes Advanced Member

mattcodes

Posted
Posted
Buy a MAC or use Linux... avoid windows. There are many windows trojans you can attach to a file like a picture or movie, send it to someone and it secretly installs a keylogger and that program will email the keystrokes to the "hacker"

This a typical MS bashing attitude, MS has many viruses and trojans because it has the largest market share in the desktop OS space and thus is a primary target for script kiddies and virus developers. Linux has it fair share of security bulletins in both kernel and user space and I'd estimate that most Linux fanboys believe they are secure when infact they are highly vunerable due to their ignorance and fanboy adoption tactics. OS X situtation is a little better but still are vunerable as any.

Avoid viruses by using a decent virus checker, if you dabble with pirate software at least ensure you have a verified and genuine OS base and virus checker installed.

Link to comment
Share on other sites
  • 8 months later...
welo Gold Member

welo

Posted
Posted (edited)

Neo's SafeKeys implements various methods to confuse key loggers while 'typing'. It requires the user to drag'n'drop the resulting password to the input mask.

I always thought drag'n'drop is basically a copy/paste operation and will be logged? But obviously it isn't, I don't think the developer has made such a simple mistake...

welo

EDIT: removed my original message because I hadn't read the article to the end :)

Edited by welo
Link to comment
Share on other sites
  • 2 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.






×
×
  • Create New...