Defending The Kingdom

A friend and reader left some great questions in the comments section to a recent post. I’ve answered three of them today, and will answer the rest in a future post.

1) You mention that you change your online banking passwords every three months. What is your reasoning for doing this? If you have a high security password, is their an increased risk in it being broken the longer you keep using it?

I change my critically important passwords (banking and email) every three months just in case someone has figured them out. The biggest risk, as I see it, is from keyloggers. If keylogging software lodges itself in your computer even for a couple of days (in between virus scans, for example), it could steal your passwords and send them to a bad guy without tipping you off that anything is wrong.

2) Do you recommend having a different password for every different type of account you have? What are the risks in using the same password for multiple things?

I recommend having a different password for each of your important accounts. The risk of using the same password for everything is that someone who gets the password to one of your accounts gets access to all of them. Your bank probably does a good job of preventing people from getting into their databases, but shareyourpicswithfriends.com may not. If you were a hacker, how would you approach this problem, knowing that many people use the same password over and over?

Personally, I use the same password for accounts that would not cause me to weep if a criminal got access to them. I use distinct, strong, and frequently changed passwords for the rest.

3) I see the security threat in forgetting to logout of a email account, bank account, etc. at a public computer; someone could come on the computer after you and breach your privacy. Is there a threat of keeping accounts open for an extended period of time on a private computer?

I’m not very concerned about it. There is a danger that information sent from your computer to, say, your bank’s servers (and back again) is intercepted by some clever person, but there is little you can do about this. You can avoid wireless connections or avoid the internet completely, but most people (including me) would find this to be an unacceptable tradeoff.

Old Defending the Kingdom article on How to Foil Keyloggers now considered out of date and unsafe for use. This article fixes the problem.

In early November, I described a method that would allow computer users to trick keyloggers (a keylogger is hardware or software that is capable of capturing a user’s keystrokes, including usernames and passwords, and sending them to someone else). The method, which involves burying your real password inside gibberish, helps to obscure your passwords from keyloggers when you have to use a public computer terminal for something important like banking or email. Since users of public terminals can’t know if a keylogger is installed, they should assume it.

Somewhat reassuringly, I recently found a Microsoft Research paper (pdf) by Cormac Herley and Dinei Florencio that describes how to evade keyloggers in almost identical terms. Herley and Florencio tested the method with five spyware programs (HomeKeylogger 1.70, GhostKeylogger, KGB-Keylogger, Spytector 1.2.8 and ProBot) and found that it fooled each of them. However, I’ve since realized that there is a potential flaw in the method, and a slightly more sophisticated keylogger could capitalize on it. Thankfully, there is an easy fix. For those who want to see the new method without any further explanation, it’s below. Read on past the description of the new method to get an understanding of why the new method is better than the old one.

Vesik method revised

1. Suppose your password is Jk5pGHmY9
2. Type three random characters into the password field (say, Wv5)
3. With your mouse, highlight those random characters and type three more random characters right over them (say, aUJ). Repeat this step a few times (the more you repeat, the harder it is for someone looking at a log of your keystrokes to figure out your true password)
4. Highlight the last portion of gibberish you typed and input a segment of your true password (say, pGH)
5. Place your cursor to the left or right of the correct portion of your password and repeat steps 2 to 4
6. Once your whole password is contained within the password field, click the “Submit” or “Log in” button

This is effective because a keylogger would register something similar to the following set of keystrokes:

click Wv5 click d3i click M%f click pGH click Opl click 37s click Jk5 click rF9 click 1N8 click mY9 click

Your true password is contained in those keystrokes, but neither a computer program nor a human looking at them would know which strokes are legitimate and which aren’t. Most thieves would move on to an easier target if they ran into a mess like this one. However, if the thief was persistent, he could probably find your true password by trial and error. But his chances for each attempt are low, at around 1 in 10 million.

These odds are great for you and bad for the bad guys, but if don’t like them, just don’t use public terminals for important things!

What’s wrong with the old Vesik method?

In the old method, I advocated that you alternate between typing portions of your password in the password field and typing gibberish after clicking with your mouse on the Windows taskbar. The problem is that some keyloggers are capable of recording an event like “window focus changed from web browser to taskbar”. This would make it easy for a person looking at the keystrokes to know which were typed into the password field and which were decoys.

Limitations of the Vesik method

1. If you enter your password more than once, you will likely use different gibberish strings while your actual password strings will remain the same. Thus, someone examining two login attempts might be able to pick out the consistent bits and conclude that those make up your actual password. To avoid this problem, only login with the same password once.
2. The keylogger could be working in tandem with a screen capture program. If the program took a time-stamped “photo” of the way the screen looked every time you typed a character, a human analysist might be able to figure out which keystrokes were relevant and which were decoys. However, a screen capturing keylogger would consume tremendous computer resources and is therefore likely to be rare.
3. If this method is adopted by many people, computer programs or human analysts could come up with clever ways of figuring out what keystroke bits are more likely to be from the real password and what bits are likely to be gibberish. At this point, though, there’s no reason to worry about this. Most people will remain unaware of how vulnerable their passwords are on public terminals and password thieves will continue to target them.

20 June 2007 update: The method described below should be considered out of date and unsafe for use. Use the revised Vesik method instead.

Protecting your security on a home computer is not difficult. If you use a safe browser, scan for viruses and spyware frequently, and remember to scan before opening email attachments and downloaded files, you can feel safe when using your computer to bank, check email, and browse the web.

But what about the times when you need to use a a friend’s computer or a public computer in an internet café, library, or airport? You have no idea if the computer has been kept well and is safe to use. In fact, in many (if not most) of the internet cafés I’ve been to, the computers are visibly convulsing with virus and spyware activity.

For the most part, it would be wise to avoid doing anything other than browsing the web on such public computers. However, sometimes you just have to check your email or bank statement or conduct some other form of business that you’d rather keep private. In those cases, you should take extra precautions, particularly against keyloggers that are capable of recording and later abusing your username and password information.

How keyloggers work

First, I’ll explain how keyloggers work. Keyloggers monitor every keyboard keystroke and mouse click you make and try to ferret out personal and lucrative information such as passwords and Social Insurance Numbers (or Social Security Numbers in the United States). It’s not hard. Consider the following cross-section of keystrokes that a keylogger might capture:

www.google.com (click) ponies (click) white ponies (click) ponies Vancouver Canada (click) www.hotmail.com (click) jenny984@hotmail.com (tab) fido (click) Hi Grandma, thanks for the birthday gift. I hope you and Grandpa are doing really well right now… (click)

In the above set of keystrokes, the user started by doing a Google search for ponies, then logged into hotmail, and started writing a letter to her Grandmother. It’s pretty obvious that her username is “jenny984@hotmail.com” and her password is “fido”. An added bonus is the knowledge that the user probably lives in Vancouver, Canada. Both a human being or computer program looking at this data set would have an equally easy time finding this sensitive information.

The Vesik method

A very clever friend of mine (after whom the method is named) suggested a strategy that would make it difficult for a human or computer looking at the results gathered by a keylogging program to determine what an individual’s password is.

To foil a keylogger, follow these steps:

1. Enter your username into the appropriate field
2. Click on the password field, and enter half of your password (for Jenny, this would be “fi”)
3. Click on the taskbar (the bar, usually on the bottom of your screen, that shows the Windows Start button and all of the windows you have open)
4. Enter a short string of gibberish, click on the taskbar again, and enter more gibberish (here’s a nice example of gibberish: “gqmk (click) dl55”)
5. Click on the password field once again, placing your cursor to the right of the half completed field
6. Complete your password
7. Click on the taskbar once again and type a little more gibberish, clicking on the taskbar in between gibberish strings
8. Click “Submit” to submit your username and password to be verified

Now, if there is a keylogger monitoring your keystrokes, it might see something like this:

www.google.com (click) ponies (click) white ponies (click) ponies Vancouver Canada (click) www.hotmail.com (click) jenny984@hotmail.com (tab) fi (click) gqmk (click) dl55 (click) do (click) ap (click) obr5 (click) Hi Grandma, thanks for the birthday gift. I hope you and Grandpa are doing really well right now… (click)

A computer program sifting through this data would probably report that “fi” is the password. Or it could indicate that “gpmk” or “dl55” or “gpmkdl55” or “figpmkdl55doapobr5” is the password. They all look like possible passwords, but none of them is the actual password.

A human looking at the data would have the same problem, but might be able to catch on to the technique being used. Still, he wouldn’t know which string or strings of password-like text make up the real password. Let’s suppose that a human sifts through the data, realizes that the Vesik Method is being used, and decides to try all the possible combinations in order to find the right one. With 6 strings of password-like text (that could be used on their own or in combination with the others), there are just under 2,000 possible passwords.

Because higher security websites (especially online banking websites) will deactivate a user’s ability to login after 5 or so false tries, it is extremely unlikely that your account would be compromised. Websites with fewer security precautions would be easier to crack by entering all 2,000 possibilities, but you have much less to lose in these cases. Check the security policy of each website with which you wish to use this method before logging in.

Also, it’s worth noting that all but the most determined thieves would likely just move on to an easier target – one who failed to disguise his password in any way – rather than bother with your accounts.

An important caveat

If you login to the same website multiple times (or different websites with the same password), a human looking at the results of a keylogger would probably be able to figure out what your real password is by comparing both login attempts. The reason is simple: the password characters you enter will remain the same across both attempts but the gibberish you type in will probably change. If you want to prevent this kind of detective work from having any effect, type the same gibberish each time or only use your password once on the same public computer.

Happy surfing!