Vesik method revised

Logging into Facebook using the Vesik method

Old Defending the Kingdom article on How to Foil Keyloggers now considered out of date and unsafe for use. This article fixes the problem.

In early November, I described a method that would allow computer users to trick keyloggers (a keylogger is hardware or software that is capable of capturing a user’s keystrokes, including usernames and passwords, and sending them to someone else). The method, which involves burying your real password inside gibberish, helps to obscure your passwords from keyloggers when you have to use a public computer terminal for something important like banking or email. Since users of public terminals can’t know if a keylogger is installed, they should assume it.

Somewhat reassuringly, I recently found a Microsoft Research paper (pdf) by Cormac Herley and Dinei Florencio that describes how to evade keyloggers in almost identical terms. Herley and Florencio tested the method with five spyware programs (HomeKeylogger 1.70, GhostKeylogger, KGB-Keylogger, Spytector 1.2.8 and ProBot) and found that it fooled each of them. However, I’ve since realized that there is a potential flaw in the method, and a slightly more sophisticated keylogger could capitalize on it. Thankfully, there is an easy fix. For those who want to see the new method without any further explanation, it’s below. Read on past the description of the new method to get an understanding of why the new method is better than the old one.

Vesik method revised

  1. Suppose your password is Jk5pGHmY9
  2. Type three random characters into the password field (say, Wv5)
  3. With your mouse, highlight those random characters and type three more random characters right over them (say, aUJ). Repeat this step a few times (the more you repeat, the harder it is for someone looking at a log of your keystrokes to figure out your true password)
  4. Highlight the last portion of gibberish you typed and input a segment of your true password (say, pGH)
  5. Place your cursor to the left or right of the correct portion of your password and repeat steps 2 to 4
  6. Once your whole password is contained within the password field, click the “Submit” or “Log in” button

This is effective because a keylogger would register something similar to the following set of keystrokes:

click Wv5 click d3i click M%f click pGH click Opl click 37s click Jk5 click rF9 click 1N8 click mY9 click

Your true password is contained in those keystrokes, but neither a computer program nor a human looking at them would know which strokes are legitimate and which aren’t. Most thieves would move on to an easier target if they ran into a mess like this one. However, if the thief was persistent, he could probably find your true password by trial and error. But his chances for each attempt are low, at around 1 in 10 million.

These odds are great for you and bad for the bad guys, but if don’t like them, just don’t use public terminals for important things!

What’s wrong with the old Vesik method?

In the old method, I advocated that you alternate between typing portions of your password in the password field and typing gibberish after clicking with your mouse on the Windows taskbar. The problem is that some keyloggers are capable of recording an event like “window focus changed from web browser to taskbar”. This would make it easy for a person looking at the keystrokes to know which were typed into the password field and which were decoys.

Limitations of the Vesik method

  1. If you enter your password more than once, you will likely use different gibberish strings while your actual password strings will remain the same. Thus, someone examining two login attempts might be able to pick out the consistent bits and conclude that those make up your actual password. To avoid this problem, only login with the same password once.
  2. The keylogger could be working in tandem with a screen capture program. If the program took a time-stamped “photo” of the way the screen looked every time you typed a character, a human analysist might be able to figure out which keystrokes were relevant and which were decoys. However, a screen capturing keylogger would consume tremendous computer resources and is therefore likely to be rare.
  3. If this method is adopted by many people, computer programs or human analysts could come up with clever ways of figuring out what keystroke bits are more likely to be from the real password and what bits are likely to be gibberish. At this point, though, there’s no reason to worry about this. Most people will remain unaware of how vulnerable their passwords are on public terminals and password thieves will continue to target them.

Read more about keyloggers

26 Comments »

  1. Comment by tom — 21 June 2007 @ 3:39 pm

    “Most thieves would move on to an easier target if they ran into a mess like this one. ”
    This is a key point– you’re never going to completely get rid of crime.. the best you can do is make it so hard to attack you that they’ll go after someone else. It’s kind of a ‘beggar thy neighbour’ solution, but it’s the only thing anyone can do.

  2. Comment by Ian Saxon — 21 June 2007 @ 8:34 pm

    Tom, you’ve got it exactly right.

  3. Comment by Mike Terner — 23 June 2007 @ 7:25 am

    Hm… It is a rather interesting method, but I prefer using anti-keyloggers:) If anyone too, you are welcome to visit http://www.anti-keylogger.org site. But I must say that you did a good job,Tom! Well done!

  4. Comment by Ian Saxon — 23 June 2007 @ 9:41 am

    Mike, the reason I didn’t mention anti-keylogging programs is that they are only effective against software based keyloggers. A hardware based keylogger (perhaps inside the keyboard or between the connection to the keyboard and computer) will not be impeded by a software solution.

    Admittedly, software based keyloggers are probably much more prevalent than hardware based keyloggers because the former is so much cheaper and can be installed with extreme ease. Still, the Vesik method has value in that it beats both types of keylogger most of the time. That’s important when you’re working on a completely unfamiliar computer.

  5. Comment by Computer Grrl — 23 June 2007 @ 10:07 pm

    I hate keyloggers!

  6. Comment by Kaili — 11 July 2007 @ 9:11 am

    Rather than highlighting and retyping only the gibberish, you could even highlight portions of the actual password as well. Then you wouldn’t have a series of strings that are either part of the password or gibberish, but rather a series of strings where each may or may not contain a substring of the correct password.

  7. Comment by Ian Saxon — 12 July 2007 @ 4:28 pm

    Kaili, that’s a really good idea. I’m sure that has some strange and wonderful effects on the probability of the Vesik method getting broken. Any ideas?

    Ian

  8. Comment by Paige — 12 July 2007 @ 9:07 pm

    what happens when your computer stores your user name, for example when you go to log into email you type the first 2 letters of your name and the computer fills in the rest. then you tab to get to the password box and type in the password… what does a keylogger see then?

    go mypassword

    or: gohome@hotmail.com mypassword

    ?

  9. Comment by Paige — 12 July 2007 @ 9:20 pm

    that should read:

    go TAB TAB mypassword

    or:

    gohome@hotmail.com TAB TAB mypassword

  10. Comment by Kaili — 3 August 2007 @ 4:03 pm

    Oh my, Ian… that’s a probability question I dare not tackle on short notice. Maybe I’ll ponder it for a while. :)

  11. Comment by some one — 1 January 2009 @ 11:54 am

    What do you think about the comparison of different methods to avoid keyloggers at http://kyps.net/home/comparison ???

  12. Comment by Ian Saxon — 2 January 2009 @ 1:48 am

    Interesting. The part that says “spyware can record the network traffic that leaves the public computer” makes me wonder if the Vesik method could be easily defeated. I suppose it depends on whether keylogging software can strip the contents out of the username and password fields after the user hits “submit” and before the data becomes encrypted.

    I like the idea of KYPS, although you have to trust that the owners of the website are not stealing your passwords. Besides that, KYPS requires that you have access to a non-compromised computer when you want to create new codes, which may not be an option for everyone.

  13. Comment by Gerry — 10 September 2009 @ 10:30 pm

    Many thanks for this method. This has been a problem I’ve been pondering for a while.

    Question. Instead of keying in any real parts of the password, how about beforehand pulling up some web page with a lot of characters on it and copy and pasting certain characters from that web page (using mouse clicks of course)? Of course, some decoy characters should still be typed and some “overlaying” done. However, because some of the real characters are not being typed but are being copied and pasted, the keylogger should not capture them.

    Granted, if the keylogger is working with a screen capture program, then this method would also be vulnerable. However, if the computer being used has a screen capture program running, then even if the user is able to securely enter their ID and password to an email/banking/etc site, anything the user views on that site is at risk of being compromised.

  14. Comment by Ian Saxon — 10 September 2009 @ 10:44 pm

    Gerry, modern keyloggers are capable of recording the contents of cut and paste operations, so that technique probably doesn’t have any added benefits.

  15. Comment by Paul Aussie — 11 September 2009 @ 7:48 am

    Hi Ian
    Thanks for the great ideas. Good to see people trying solve this prob or at least reduce it.
    The only problem I have with this method is that many password boxes insert dots or astericks into the box. This obviously makes it difficult to remember where each character is located and can result in failed logon attempts.

  16. Comment by Ian Saxon — 11 September 2009 @ 7:51 am

    Paul, I agree. It’s definitely a downside to using the method.

  17. Comment by Dave — 11 September 2009 @ 11:39 am

    Ian,
    Could the secure website just publish an on screen keybord and let you use mouse clicks? It could also randomly move the keyboard for each character to avoid recording the position of the mouse clicks and someone trying to figure out the pw by pattern. I am not sure if this would be effective if someone was using screen capture.

    The other thought I had was to use DDNS to keep track of a home/company based PC for VPN connection. Use that PC to run a script or Master Password program that would enter the Username and Password for you to the website. After you are done you could disable the VPN or somehow have a program reset your VPN password to the next on a list you create. Or some variation of that method.

    Man o Man how I hate black hats!

    What are your thoughts?

  18. Comment by Ian Saxon — 11 September 2009 @ 12:07 pm

    @ Dave: Onscreen, online keyboards are reasonably secure, especially if the order that the numbers appear onscreen is random (it’s probably not necessary to change the order after each mouseclick, although it wouldn’t hurt). As you say, though, a screencapture program could probably defeat that if it’s set to capture the screen contents after every mouseclick. Some appear to be capable of such tactics.

    Re your second idea: you have to trust the computer you’re on in order to set something like that up! And if you trust your computer, password entry is not much of a problem.

  19. Pingback by Austoon Daily » Vesik method revised — 11 September 2009 @ 10:34 pm

    […] Vesik method revised Old Defending the Kingdom article on How to Foil Keyloggers now considered out of date and unsafe for use. This article fixes the problem. Comments (0) […]

  20. Pingback by Und wieder was gelernt ;-)))) « winITPro — 14 September 2009 @ 12:22 am

    […] Saxon mit dem schönen Namen „Defending the Kingdom“ umsehen. Dort wird auch die „Vesik-Methode“ vorgestellt, die deutlich mehr Sicherheit bieten kann — allerdings auch mit deutlich […]

  21. Comment by Trevor H. — 14 September 2009 @ 8:59 am

    An aspect I think you’re neglecting is to change passwords often, possibly by rotating them on various dates. This means the logged keys will have little if any value to the logger. The fear of logging is really about using the same old keys for too long. if one has to use a non-persoanl PC then changing the login data a.s.a.p after that event makes perfect sense, doesn’t it?

  22. Comment by Ian Saxon — 14 September 2009 @ 9:23 am

    @Trevor: Good point. Changing your password after you’ve entered it insecurely is a fine idea. That and the Vesik Method are ways to reduce, not eliminate, your vulnerability. But suppose you’re on the road for an extended period of time or you have to change your password while using an insecure PC – the Vesik Method could be the best option available.

  23. Comment by Gerry — 26 September 2009 @ 11:35 am

    Thanks Ian for clarifying that copy-and-paste is not secure.

    In a recent article in the Windows Secrets Newsletter ( http://windowssecrets.com/2009/09/24/01-More-tricks-to-evade-keyloggers-on-public-PCs ), the following software was mentioned and worked well when I tested it with Firefox (supposedly it does not work with Opera): Alpin Software’s Neo’s SafeKeys 2008 ( http://www.aplin.com.au/?page_id=368 ). According to its description, it does not use copy and paste to transfer the password. Also note the feature (under Mouse Mode) which allows characters to be selected by just hovering over them and also turns the cursor into a small grey dot! Plus, there is no charge for this software, although a donation is asked for. Might this be another solution? Of course, even if it is, no technique can be counted on to be secure indefinitely.

  24. Pingback by Natwest beats the keyloggers | Defending The Kingdom: Security and Privacy in Your Digital Life — 2 January 2010 @ 12:29 am

    […] online bank account even on untrusted computers. The login page makes it impossible to employ the Revised Vesik Method that is ordinarily the best way to beat keyloggers, but it more than compensates with its clever […]

  25. Comment by Joseph — 17 January 2010 @ 7:59 am

    I’ve received a lot of visit from Las Pinas, Philippines which are coming in via two sites: the first one is called blackhatbootcamp_comslashblogslashscTOPSITES; the second one is besome1dotinfoslashTOPSITES. The moment I read “black hat” I became alarmed because I know that usually means the operator will use unscrupulous and even malicious methods to get visitors and money. I’d like to know more about them, and block their visits if possible. The last thing I need is some creep corrupting my site, and spamming my readers. I have hundreds of articles on my site, many from authors who have their url listed in the by-line of their articles. This could be why I’ve been getting trolled-the offenders maybe attempting to harvest the domain names. My site host has yet to even respond to my query about safety protocols they have in place to prevent scalping and harvesting, I do have anti-virus and anti-malware software protection on my computer but the more knowledge I have the better I am able to protect myself and my readers.

  26. Comment by Hardware keylogger — 23 December 2010 @ 2:08 am

    @Ian Saxon:
    It’s not a good idea to change password after using other computer.
    The think is that how we detect and save our key stroke from key logger.Because both hard ware and software based key logger is commonly installed at public based pc like internet cafe.

RSS feed for comments on this post. TrackBack URI

Leave a comment