Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How to protect yourself against keyloggers?
7 points by drexlspivey 9 months ago | hide | past | web | favorite | 7 comments
While I am by no means a security expert, I try to follow good security practices as much as I can. I use unique passwords with a password manager, I use SSH keys for logging in to any remote machine and I use PGP to encrypt any sensitive files on my machine.

However none of these will protect you against a keylogger. Ultimately your keys/passwords will be protected by a password. I understand that if your system is compromised it's pretty much game over, but what are some good practices to protect yourself against a keylogger?

One reasonable practice can be to use multi factor authentication when gaining access to services that you use, MFA will allow you to take advantage of one time passwords coupled with unique passwords managed by a password manager.

On a related note, what's the best way to test if my mechanical keyboard from China isn't logging everything I type and selling it to the highest bidder?

The 'best' way is to carefully log all of your network traffic and investigate any weird outbound traffic. There are automated tools that can help with this, but at the end of the day, you're going to be going through individual outbound connections and figuring out what's sketchy versus what's okay.

This gets really complicated because it's very easy for skilled people to hide data in legitimate looking data transfers.

The keyboard itself won't be able to send anything over the network. A malicious keyboard driver could, but it doesn't have anything to do with the hardware component. Well, technically the keyboard could broadcast the recorded keystrokes via WiFi or Bluetooth granted it has additional hardware built-in, but that would make things significantly more difficult for the attacker.

Then the secure behaviour would be to refuse installation of any driver but the standard ones. Is it possible?

use zero-width characters in your passwords to fool the attacker ^_^

In all seriousness I think many applications wont handle that correctly and you will probably lock yourself out a lot.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact