

How to protect your password from keyloggers - randomwalker
http://arvindn.livejournal.com/123183.html

======
bensummers
Or use two factor authentication with a hardware token. Some are very cheap,
eg YubiKeys. <http://www.yubico.com/>

~~~
chmike
Thanks for the link. I'm still trying to understand how it works. From what I
understood so far, it emulates a keyboard and emits keystroke. How would this
protect against a keylogger ? Same password everywhere ? Symmetric key
encryption ? Did I miss something ? It doesn't look very attractive so far.
The security principle is quite obscure and makes it look as another snake oil
security product.

------
ajross
Or just keep all your passwords in an encrypted file and cut-and-paste them
instead of typing them. If you generate a new, random one for every site (and
you should) this is actually the simplest usage.

Of course, that doesn't prevent the key logger from lifting your master
passpharse for that file, but at least it will defeat an automated attack from
seeing your bank password based on network traffic and key presses. If your
hardware is actually compromised like that, there's only so much security you
can get from "best practices".

~~~
djcapelis
In the 90s people were made plenty of prototypes of keyloggers that would do a
screen capture whenever it detected a copy operation.

There are many little tricks that will lift you above low hanging fruit and
likely allow you to avoid an untargetted attack. They are of limited use given
generally all of them can be defeated if the attacker bothers to care.

The author notes that this work is unpublishable. The reason for that is this
type of work doesn't truly move us forward and simply provides another step in
a cat and mouse game. Most of these things have also been known for years.

------
statictype
In college, some of our computers in the lab were old AIX Unix machines with
character-mode logins. I was able to duplicate that logic screen with a
program that would write the password to a file in my directory, then give an
error message, logout and present the normal login screen. Users would think
they typed their passwords incorrectly and then login again. It was naive of
me because anyone who was on to me could have just killed the program and
gotten access to my home directory.

After realizing how easy this was, I always made it a point to try and
terminate the login screen, whenever I sat down at the console.

------
pyre
I've seen people claim that there are keyloggers out there that also log
things like focus changes (with the title of the window that lost/gained
focus). I've never looked much into it (I believe it was only a comment on /.
some years ago). In that case, the keylogger would be able to sort out that
you were typing garbage characters, though I suspect that this doesn't really
scale to massive keylogging dragnets. It _is_ a cause for concern if you think
that someone is targeting you though.

------
stingraycharles
Or, you might as well use something more sophisticated like KeePass:

<http://keepass.info/>

You will never actually type any passwords anymore (except perhaps your master
password, which can be a signature file too), so no keys to log.

You can find the Firefox plugin here:

<http://keefox.org/>

~~~
pyre
> _cept perhaps your master password, which can be a signature file too_

What you really want to do is have two factors of authentication. (i.e. a
signature file and a password) Otherwise, it only takes a single compromise to
lose your passwords (i.e. you are trading the risks of a password being stolen
for the risks of a signature file being stolen).

