Assume that all computers that aren't yours are keylogged. When I must enter a password into an untrusted machine, I use the mouse to help me. My passwords are long non-words that I know well so I type part of the password, mouse to a different location, type some more, mouse some more, etc. (1) This should defeat key loggers and screen picture captures (if the password is starred) but still wouldn't defeat an out and out video of my session combined with keylogging. I figure that last scenario is a whole lot more rare.
1) My usual technique is to type the last three chars, mouse to the beginning of the field, type the next to last 3, mouse to the beginning, next 3 repeat till done.
While defense in depth is never wrong, please be aware that even moderately advanced trojans will simply capture the contents of any form fields in most browsers. Neither your "skipping" technique, nor (partially) using an on-screen-keyboard will help against that.
Using a second factor for authentication provides some extra security, but a well-configured trojan might intercept your logout request, display a fake logout confirmation and store your session data for their botmaster to peruse.
If you need to regularly use untrusted machines (and have access to usb ports or a cd drive), you could bring a hardened browser with you. That should defeat most "Man-in-the-Browser" tricks. Or, even better, a live CD or USB drive. At this point, you should still assume your keyboard and screen to be compromised, but the OS should be safe enough to cautiously use.
In this scenario, if I login to my own server, if I control the login on the remote end, I set it up to support one time passwords. It would be nice if this would be something that can be set up by default for credentials.
Maybe this should be a feature request to the web-app devs.?
Some services like Gmail allow you to sign out all other sessions from a session. So in the case of logging out from a unsecured computer, you logout as normal and then immediately sign out all sessions from your mobile device - it's a bit like a two factor logout to go with your two factor authentication.
We have a winner. When I try to explain keylogging to them, they assure me that the vendor is first rate thanks to the money we pay and the webmail security is "unbreakable" on our system.
This is news? For grins and giggles I booted a liveimage of the norton recovery / scan tool on a hotel business center machine and the thing had viruses that had been detected and cleared 6 years earlier. Not to mention it was running XP and that version of XP wasn't patched at all (there was a service that was blocking windows update, the PC couldn't actually get to the Microsoft IP addresses) I pointed it out to the management, got yelled at for booting a different OS, and a surly 'promise' to have their 'IT guy' look at it.
I've also found machines at VRBO rentals that were compromised. So far I've not found any that had their wireless routers replaced with MiTM routers but I expect that isn't too far down the road.
Beware, also, of public WiFis. Even the ones that are not open. Beware, actually, of connecting to any network where you don't know all of the devices you can communicate with directly. Ancient attacks such as ARP or DNS spoofing still work, by and large. It's surprising how few people are actually aware of them.
VPNs aren't as much of a pain as you might think. I like Cloak on OS X and iOS (https://www.getcloak.com/). Or some home routers even come with VPN servers built in.
Sure, it's a paid product, but you get to run 2 concurrent users for free and you can use any of the Amazon datacentres and any of the instance types… t2.micro's are just fine for quite a large number of users.
And in practice, exit nodes are extremely untrustworthy. I just recently had one providing self-signed certificates for HTTPS. Someone was up to no good.
The endpoint site. Then I hit reload and it was gone. SSLStrip probably would have been more effective. But, yeah, I think the people using Tor to provide "security" for an insecure wifi are making a huge mistake.
However, as "Who is surprised!" has become a standard meme in security/privacy related threads, I want to point out a few things that may be interesting:
- the actual extend of the threat (numbers?)
- the extend to which the general public has come to terms with this problem
- the reactions around the web and proposed solutions ("use this kiosk linux distro")
- discussion of similar/related threats (like "also watch for public wifi")
Note that a keylogger is a completely different threat than modern identity-theft malware.
A keylogger just "logs" keystrokes, either locally or remotely, for later use. While this is a valid threat, using two-factor authentication basically makes this a non-issue. On the other hand, malware that targets specific login fields is usually smart enough to also steal session cookies, or with most banking trojans, inject requests into your live browser session.
The latter is used to literally transfer money in/out of your account, or make automatic purchases, while you browse the web. There is no protection from these trojans. If you're infected, you're fucked. The only thing 2FA saves you from here is repeated attacks once your session expires. (Luckily i've never personally seen a trojan like this built for Linux, but that's just a matter of time/market share)
I am starting to think that security people should stop using the term "keylogger" altogether. It is unhelpful, and damn right dangerous.
When people read "keylogger" they often envision malware which sits there and grabs your keystrokes, so then people assume (see posts elsewhere in this HN thread even) that using on-screen keyboards or jumping back and forth between fields saves them.
Classical literal "keyloggers" are now mostly gone. Grabbing a long series of keystrokes is extremely hard to automatically utilise (which is the goal now). Instead malware will either inject itself into the TCP/IP stack, HTTP stack, or directly into the browser (most popular) itself to steal credentials after the form is submitted but before it is encrypted and sent over the network.
The advantage to the "bad guys" of doing things this way is that they get contextual information (e.g. form name, form destination URL, as well as username/password). Once you have login information AND contextual information you can automate it entirely and ignore a lot of stuff you aren't interested in (e.g. steal Google accounts, but ignore Hacker News accounts).
Other than spouses spying on one another or a parent spying on their kid, a "keylogger" is pretty much dead in the classical sense. No organise crime gang wants a few gigabytes of keystrokes they have to sort through in order to get to the good stuff.
Bank of America seems to have protection against this type of threat. If you have 2FA enabled, via text to mobile, there is a 2FA test on first login on a new computer. But they also have an extra 2FA protecting everything that would allow an attacker to transfer money out of the account. Adding a new bill pay payee, changing the address or account info on a payee, and any external wire transfer all require a new 2FA code to be sent and entered every time, no matter what the device.
I still wouldn't login to them, or any other financial account, on an untrusted device, though.
Those are very bland and generic criticisms that can equally be leveled at many other authentication schemes.
Does this sqrl improve on the existing security offered by alternatives? Likely not. It just offers convenience and keeps many of the existing downsides.
Honestly 2/3 of those criticisms can be leveled at ANY single-sign-on scheme (Facebook, Google, Microsoft, etc). And the password reset issue would be trivial to engineer around.
So using it to explain why sqrl is a bad idea is a little confusing, are Google accounts also a bad idea?
The downside is that smartphones are pretty terrible in terms of security. Lose your smartphone and you give away the keys to everything. Given how easily phones are stolen, that's a pretty bad single point of failure. With my laptop, I can use a password manager together with full-disk encryption with a decent password. That beats this suggestion hands-down.
A smartphone isn't any less secure than a laptop... I could say "lost your laptop and you give away the keys to everything" just as you said the same for smartphone... It's up to the user to decide what security they put on their devices. On iPhone at least, everything is really well encrypted out of the box. Most people don't put passwords on their laptops either.
Most people don't put passwords on their laptops either.
I don't know about most. Certainly many people do, and it's fairly convenient to have one.
On the other hand, the input capabilities of smartphones are so limited that I find it hard to imagine finding anybody - even otherwise computer-savvy people - whose smartphone data is encrypted using a reasonably secure keyphrase.
Smartphones are arguable exposed to theft risk in more scenarios than laptops are, and the security on a smartphone is generally weaker than on a laptop (at least one with whole-disk encryption).
At the end of the day, as you said, phones are easier lost and stolen, but there is barely a difference now in the functionality of security between a phone, laptop, and desktop; they're all the same. Now, for convenience, many users don't bother having a password on their phone. That's not functionality though, that's just how a user has decided to protect their phone's content...
Thanks for sharing, looks intersting.
It somewhat reminds me of Bitauth[0], they share the concept of the user signing his stuff. The difference being that there's no need of third party (the bitcoin like network of public keys).
Thanks for pointing it out, it looks great... Any known downsides to this approach? (well, apart from needing a mobile platform which now serves as your access repository)
You don't actually need a mobile at all. You could have this run as a browser plugin, but the point of having SQRL on a mobile is that it's seperate from what you're trying to log in with, if that makes sense..
Since people are mentioning their workarounds, I will share mine.
I often have to print something from my email from untrusted computer (boarding pass, some documents, etc). When it's possible, I save the thing to print to PDF, upload to S3 and make a memorable short URL using bit.ly. Whenever possible, works very smoothly :)
To add to the collection of work-arounds posted here, most hotels seem to have reasonably modern/common printers. Often, they are connected to the untrustworthy hotel PC by a USB cable. It seems faster to unplug the printer from the hotel PC and install drivers on one's own laptop than it is to figure out how to gain access to the hotel's crappy computer. Hotel printers connected to hotel computers via ethernet/WiFi also likely have working USB ports, so one simply could bring his own cable with a "B" plug. I'm sure there are ways a malicious person could install rogue printer firmware, etc., the likelihood of such threats existing in the wild is 1/1000th that of the sum total likelihood of evil existing on hotel PCs.
I suppose the relevance of my entire comment hinges on the presumption that anyone reading HN only uses hotel PCs for printing stuff. Valid?
It is very hateful for the hackers to put keylogger on the hotel PCs. However, there are some real and legal keyloggers and you have to pay for them. I have used Micro keylogger. Before I bought it, I had compared many keyloggers. Except for slight differences, many of them work the same way. However, Micro keylogger is the cheapest as well as the most full-featured. After having tried the free trial of kinds of keyloggers, I chose Micro keylogger. It is really a good choice at present.
http://download.cnet.com/Micro-Keylogger/3000-2162_4-7537529...
Related story: When I was in high school the library computers had a filtering firewall that blocked a lot of useful content. If you needed access you'd have to ask someone with the password to turn it off for your computer. That was annoying so we installed key loggers to get the password for ourselves. One of my friends ended up buying a hardware key logger that was even easier than trying to bypass the install protection software they used. Sometimes we'd leave the logger on all day just to see what we'd get. There were lots of email and AIM logins.
That doesn't have to be true. Many good systems support VLANs and subnets (OpenVPN style) per client, though you'll rarely encounter networks like this.
I'd also like to chip in here and say keep an eye out for loan laptops. My HDD broke down and I received a loan laptop while they fix my one.
While installing Go, I found Prey Anti-Theft on my HDD. Nice little bit of camera snapping, location and such. Was never told about it, which also annoyed me.
In short, if it's not your machine, assume it's compromised.
LiveUSB's FTW.
If you're worried about keyloggers, you should also be concerned with other types of spoofing, even on machines you control (by software you do not).
If you're building a website, you can help mitigate keyloggers with One Time Password support, eg login via cellphone app (which doesn't have to have a signal but can store a million random codes a la the RSA dongle) unless that's somehow patented - is it?
But fake auth forms are equally egregious. For this, you simply need the user to enter (or receive) a relatively unique (1 in 10,000) phrase or icon that they remember when signing up. Then show this phrase when one of your input fields in your domain security context (iframe or popup) is focused. There is no way for other websites to grab that phrase or icon, and therefore the user is trained to check that YOUR field on YOUR domain is the one receiving keyboard focus.
I once wrotr a letter to Steve Jobs saying the iOS should also have something similar - that the system dialogs where you enter your admin username and password to authorize something should show you a familiar phrase or icon which userland apps can't screenshot, similar to how they protect copyrighted video. But he never replied or implemented it.
After all, Vista did it by darkening the screen... Any app can do that!
In response to the hardware keylogger comments. Aren't those fairly expensive? I can't imagine they would be used very often except in targeted attacks against specific computers.
While that's a noble question, you might as well ask why can't the universe simply not advance to its entropic heat death... or why cars and homes are still sold with locks on the doors.
Windows has a Guest account that automatically resets the profile when logging off, erasing any software keyloggers etc. Likewise you can look at processes using Task Manager or Process Explorer.
1) My usual technique is to type the last three chars, mouse to the beginning of the field, type the next to last 3, mouse to the beginning, next 3 repeat till done.