20 June 2007
Old Defending the Kingdom article on How to Foil Keyloggers now considered out of date and unsafe for use. This article fixes the problem.
In early November, I described a method that would allow computer users to trick keyloggers (a keylogger is hardware or software that is capable of capturing a user’s keystrokes, including usernames and passwords, and sending them to someone else). The method, which involves burying your real password inside gibberish, helps to obscure your passwords from keyloggers when you have to use a public computer terminal for something important like banking or email. Since users of public terminals can’t know if a keylogger is installed, they should assume it.
Somewhat reassuringly, I recently found a Microsoft Research paper (pdf) by Cormac Herley and Dinei Florencio that describes how to evade keyloggers in almost identical terms. Herley and Florencio tested the method with five spyware programs (HomeKeylogger 1.70, GhostKeylogger, KGB-Keylogger, Spytector 1.2.8 and ProBot) and found that it fooled each of them. However, I’ve since realized that there is a potential flaw in the method, and a slightly more sophisticated keylogger could capitalize on it. Thankfully, there is an easy fix. For those who want to see the new method without any further explanation, it’s below. Read on past the description of the new method to get an understanding of why the new method is better than the old one.
Vesik method revised
- Suppose your password is Jk5pGHmY9
- Type three random characters into the password field (say, Wv5)
- With your mouse, highlight those random characters and type three more random characters right over them (say, aUJ). Repeat this step a few times (the more you repeat, the harder it is for someone looking at a log of your keystrokes to figure out your true password)
- Highlight the last portion of gibberish you typed and input a segment of your true password (say, pGH)
- Place your cursor to the left or right of the correct portion of your password and repeat steps 2 to 4
- Once your whole password is contained within the password field, click the “Submit” or “Log in” button
This is effective because a keylogger would register something similar to the following set of keystrokes:
click Wv5 click d3i click M%f click pGH click Opl click 37s click Jk5 click rF9 click 1N8 click mY9 click
Your true password is contained in those keystrokes, but neither a computer program nor a human looking at them would know which strokes are legitimate and which aren’t. Most thieves would move on to an easier target if they ran into a mess like this one. However, if the thief was persistent, he could probably find your true password by trial and error. But his chances for each attempt are low, at around 1 in 10 million.
These odds are great for you and bad for the bad guys, but if don’t like them, just don’t use public terminals for important things!
What’s wrong with the old Vesik method?
In the old method, I advocated that you alternate between typing portions of your password in the password field and typing gibberish after clicking with your mouse on the Windows taskbar. The problem is that some keyloggers are capable of recording an event like “window focus changed from web browser to taskbar”. This would make it easy for a person looking at the keystrokes to know which were typed into the password field and which were decoys.
Limitations of the Vesik method
- If you enter your password more than once, you will likely use different gibberish strings while your actual password strings will remain the same. Thus, someone examining two login attempts might be able to pick out the consistent bits and conclude that those make up your actual password. To avoid this problem, only login with the same password once.
- The keylogger could be working in tandem with a screen capture program. If the program took a time-stamped “photo” of the way the screen looked every time you typed a character, a human analysist might be able to figure out which keystrokes were relevant and which were decoys. However, a screen capturing keylogger would consume tremendous computer resources and is therefore likely to be rare.
- If this method is adopted by many people, computer programs or human analysts could come up with clever ways of figuring out what keystroke bits are more likely to be from the real password and what bits are likely to be gibberish. At this point, though, there’s no reason to worry about this. Most people will remain unaware of how vulnerable their passwords are on public terminals and password thieves will continue to target them.
Read more about keyloggers