remember this url: https://accounts.google.com/sesame . next time you want to check your gmail on a public computer, don't trust even the incognito window because an installed keylogger can record your keystrokes, which unsurprisingly, include your password. use your phone to scan the qrcode on the sesame web page and hit the resultant url -- the desktop browser will automagically redirect to your logged-in gmail without entering your password. yes, i think you do need an android phone with a properly configure google account for this to work.
I've always been scared about keyloggers in internet coffees or public computers in university/hotels. I really wonder if there's a way around. Especially since, if you can scan this with your cellphone it supposes you have internet on your cellphone.
Here's a trick: as you are typing in your l/p, click somewhere on the screen to defocus the textbox and then type some random characters and then click back on the textbox. And also type random characters into the textbox, and then select them with the mouse and overwrite them with correct characters. Do this a bunch. Almost all keyloggers just log all key strokes, then people scan for stuff that looks like "john@example.comLkd98/x,". There's still the chance that your internet cafe has a more sophisticated logger on it. But if you do this you've made a real step to fight keyloggers in internet cafes.
This, along with copying a character from the clipboard, won't defeat most keyloggers. The only kind you would be fooling would be a hardware keylogger. Your best bet is two step authentication.
Care to explain why it wouldn't defeat most keyloggers? My knowledge of this is that when you look at the log created by the keylogger you just see a bunch of keystrokes but you have no way to tell if they were typed in the same field.
The two step identification doesn't work if you don't have internet on your phone right?
Except that doesn't work if the form posts to a HTTPS URL. You'd have to implement something at the browser level, e.g. installing a modified browser or a browser extension.
For google, I turned on two-factor authentication. The provide an iOS/Android/Blackberry app that acts like a secureId (provides a different security code every 30 seconds).
The phone app could be also be used for your own projects. It supports multiple accounts and either manual or QR-code based configuration.
Google provides a PAM module so you can add 2-factor auth to ssh. And it is easy to implement the standard on the server side, if you want to add 2-factor auth to your web app.
I switched from Gmail to FastMail partly because they offer neat features like one-time passwords. (Two-factor auth with SMS - which FM also has - is nice but not always convenient/possible.)
You choose a "base password" (different from your master password) and it then generates 100 one-time passwords that you can print out and put in your wallet. So to login, the password you enter is "<base password><one-time password>". Works great. You can also make it restricted so that one-time logins can't delete anything, or change any options.
It works by requiring your normal password, plus a one time password that can either be SMS'd to your phone, generated by an Android app, or one on a list that you've pre-printed and keep in your wallet.
Cool, didn't know you could pre-print lists. I think I prefer the FastMail way though. With Google, as I understand it, 2-step authentication is either on or off; you have to use it all the time, or not at all. (Application-specific passwords are an exception but not relevant to the issue with keyloggers and public computers.) With FM, you can always sign in with just your master password, _or_ totallydifferentpassword+one-time-password (and you can have multiple sets of alternative logins).
I don't want to deal with 2-step authentication on devices I trust (e.g., my encrypted laptop). I could switch it on and off every now and then, but with Google I'd always be typing my normal password (for me, generated by KeePassX and impossible to memorize) when doing the 2-step thing, right?
The "Remember me" feature works normally. There's a "remember this computer for 30 days" option that sets a cookie on the computer so that you aren't prompted for the one-time password again, just your regular one (if "Remember me" is turned off).
yes, i think you do need an android phone with a properly configure google account for this to work.
That's not the case. Presumably accessing the QRCode generates a single use URL, which you can access in the computer browser. There is no client side logic.
(Also, Google generally ships stuff on both iOS and Android)
(Also, it goes against Google's interest to restrict Google account features to Android)
There's a bright highlighted warning that says "STOP! Only proceed if you arrived this page by scanning a login barcode at google.com. Otherwise, do not proceed!"
Will users read the warning? I would—and did—it really grabs your attention given the fact its background is yellow and takes up so much of the iPhone screen.
I suppose there are probably other safeguards as well, given that this is Google—maybe timed expiration?
https://plus.google.com/103943309878727777440/posts/DCdBqZX3...
====================
remember this url: https://accounts.google.com/sesame . next time you want to check your gmail on a public computer, don't trust even the incognito window because an installed keylogger can record your keystrokes, which unsurprisingly, include your password. use your phone to scan the qrcode on the sesame web page and hit the resultant url -- the desktop browser will automagically redirect to your logged-in gmail without entering your password. yes, i think you do need an android phone with a properly configure google account for this to work.
====================