Prevent keyloggers from grabbing your passwords

Home

Newsletter

Search

Reviews

Polls

Contact

This issue

Library

Upgrade

Preferences

Unsubscribe

Windows Secrets Newsletter • Issue 213 • 2009-09-10 • Circulation: over 400,000

Free download — update all your drivers
DriverCure automatically and instantly updates all your out-of-date drivers and software. This results in a fully optimized PC that runs fast and error-free. DriverCure was developed by a team of over 100 professionals with the goal of a user-friendly application that accomplishes the crucial task of keeping your system up-to-date. Download DriverCure now and update your PC in under 2 minutes!
DriverCure

Table of contents
TOP STORY: Prevent keyloggers from grabbing your passwords
WACKY WEB WEEK: Trade in your hops for grapes … fun will follow
LANGALIST PLUS: Reset your BIOS so USB keyboards work on boot-up
IN THE WILD: Hackers exploit FTP flaw in Microsoft's IIS
PATCH WATCH: New Web-based attacks target Windows Media holes

ADS

Make your PC run like new
Tired of your unstable and crashing PC? Looking for a permanent solution for your dysfunctional XP? Don't compromise — get our new, state-of-the-art technology. Reimage requires no setup and causes no loss of data or applications. This is the ultimate professional repair tool, which works like "magic," according to eWeek. Get a free Reimage PC booster with every scan. Try it now!
Reimage

Get Windows and tech news daily
Replenish your mind with tech excellence! Visit the Infopackets site right now and get your daily fix of Windows news, reviews, tech tips, plus freeware goodies daily. Bonus: join our mailing list today and you'll also receive our highly coveted Top 10 Tech Reports, including PC Security Essentials, Windows Optimization Secrets, Top Freeware Antivirus Reviewed, MS Office Alternatives, and more.
Infopackets Windows Newsletter

See your ad here

TOP STORY

Prevent keyloggers from grabbing your passwords

By Scott Dunn

Strong passwords are important, but even the best password won't keep you safe from keyloggers — hardware and software that's designed to secretly record your keystrokes.

Fortunately, there's a way you can enter sensitive data so it's extremely difficult for snoops to extract your passwords from keylogger files.

In her Aug. 6 Top Story, WS contributing editor Becky Waring reported that Google's Gmail service allows hackers to try to guess your password 1,200 times per day. She provided some useful tips for making strong passwords that are easy to remember but hard to crack.

The bad news? Even the strongest passwords can be recorded by keyloggers. These are software and hardware products designed to capture computer events and store them in a log file.

Keyloggers can have legitimate uses in business, or they can be perverted into collecting passwords for identity theft. For more information on how these products work, see my Oct. 9, 2008 review of free software keyloggers.

Windows' On-Screen Keyboard app is also logged

If you're using a computer you aren't sure is keylogger-free, how do you protect any passwords to sensitive Web accounts you may need to access? A reader named Kenneth recently submitted the following suggestion:

"I use a simple existing tool in Windows called osk.exe (On-Screen Keyboard). This program, as you may know, resides in the C:\WINDOWS\system32 directory, but there's no shortcut or link to it, so most people don't know it exists! You can launch it by entering osk in the Run command.

"Anytime I need to log in to any sensitive sites (banking, etc.), I launch osk.exe first and use this on-screen keyboard to click and enter my user name and password, even on my own home computer. This way, I feel confident that my credentials can never be captured."

Kenneth's suggestion may be useful to prevent some types of hardware keyloggers from detecting signals from the physical keyboard. Unfortunately, the program provides no defense against software keyloggers. Windows' On-Screen Keyboard sends information to applications as keystrokes, just as though you'd pressed the keys on a keyboard.

The first keylogger program I tested with the OSK workaround — All in One Keylogger from RelyTec — easily captured my keystrokes as I signed in to a Web site. (For more information about the All in One program, see the vendor's site.)

Holes in anti-keylogging software protection

Another alternative that's often touted to protect your passwords is to use anti-keylogging software. The Antispy Software site lists several such products, but I can't vouch for them.

Anti-keylogging software — even if it were effective in its stated mission — wouldn't prevent your password from being intercepted by a hardware keylogger. The sad fact is, if a keylogger is deployed effectively, you can't detect whether a public or unsecured computer has a hardware or software keylogger — or any keylogger at all, for that matter.

The universal defense against password snoops

Your best defense is not to use any untrusted computer to sign in to any site that contains banking or sensitive personal information. When you simply must take a chance on using a random PC, however, you can minimize the risk — if not eliminate it.

Security blogger Ian Saxon publishes an approach that may not be 100% foolproof but should provide some reasonable protection when entering passwords. Writing on his Defending the Kingdom site, Saxon outlines what he calls the "revised Vesik method" for entering passwords:

Step 1. Click in the password box and type three random characters, mixing upper and lower case, numbers, etc.
Step 2. Use your mouse or the Shift and arrow keys to select the characters you just typed. Then type three more random characters or a portion of your password, replacing the characters you typed previously. (Mixing random characters with actual parts of the password makes it more difficult for keyloggers to identify your password.)
Step 3. Repeat steps 1 and 2 a few times. The more often you repeat the process, the harder it will be for an intruder to discern your password when examining the keylogger file.
Step 4. Click to the left or right of your password segment and follow steps 1 to 3 to add a few more characters.
Step 5. Repeat the process, adding a few more characters of your password on each cycle until your entire password is in the password box. Then sign in to the site.

This procedure clutters the keylogger's log file with a series of click events and characters. There's no easy way for the intruder to know which characters are your password and which are random.

The key is to select and gradually overtype gibberish characters with your actual password characters. Don't simply type some garbage, backspace over it, and then enter your real password. Most keyloggers compensate for backspacing but can't keep track of characters you select and overtype.

As Saxon points out, this method isn't foolproof. For example, if you use an untrusted PC to sign in to the same site twice — and you don't use identical gibberish each time — a hacker could compare the two captured keystroke sequences and possibly figure out which characters constitute your actual password.

However, most crooks are looking for "low-hanging fruit." They'll move on to another victim rather than spend a lot of time trying to filter your password out of the noise.

Of course, if we all used the Vesik method to obscure our passwords, hackers might develop keyloggers that track this kind of data entry, too. But most people don't conceal their passwords in noise, so keyloggers don't compensate for it.

If you have no choice but to sign in to a site on a PC you aren't sure of, protecting your password is a difficult problem with no perfect solution. Many software programs, such as RoboForm2Go, offer password-protection schemes that vary from the no-cost Vesik technique. WS senior editor Gizmo Richards recently reviewed these methods in an analysis at his Tech Support Alert site.

Just be aware that accessing the Internet using your own laptop — on which you run up-to-date antivirus software — protects your passwords better than using a public Internet terminal or a friend's PC.

Contributing editor Scott Dunn is the co-author of 101 Windows Tips & Tricks (Peachpit) with Jesse Berst and Charles Bermant.

Table of contents

BONUS DOWNLOAD

Keep your computer beyond the reach of hackers

Hacking Exposed: Computer Forensics download

This month's free bonus download for all our subscribers is a two-chapter excerpt from Hacking Exposed: Computer Forensics by Aaron Philipp, David Cowen, and Chris Davis. The book provides valuable information about protecting everything on your computer out of the clutches of harmful hackers, be it important data or merely your IP address.

The printed volume isn't in stores yet, but all subscribers can receive our exclusive excerpt of two full chapters through Sept. 30. Simply visit your preferences page, save any changes, and a download link will appear. Thanks! —Brian Livingston, editorial director

All subscribers: Set your preferences and download your bonus
Info on the printed book: United States / Canada / Elsewhere

Table of contents

WACKY WEB WEEK

Trade in your hops for grapes … fun will follow

By Stephanie Small

Sick of drinking beer at parties? Hate it when your buddies stick you with a warm brew? Nothing sucks the fun out of social occasions faster than the same old swill. Well, your lackluster beer-drinking days are about to be supplanted by the best of aged wines … cabernet sauvignon!

Pronounced just as it's spelled, this high-class "fancy" beverage can turn any frown upside down — if the frowner is of legal drinking age, anyway. Aged since 2002, the grapes are at their peak of fermentation … and the beverage even comes in a light version for those watching their waistlines! So call for a cab at your next pool party or festive bash. And of course, there's no better way to impress that special someone. Play the video

Table of contents

ADS

Your old drivers are slowing down your PC
Driver Detective provides the most up-to-date drivers specific to your computer, including all major-brand OEMs (Dell, HP, Compaq, Toshiba, etc.) and generic brands. We access a database of over 9.2 million device-associated drivers — the largest driver update database on the Internet. Driver Detective saves you endless hours of work and aggravation normally associated with updating drivers.
Driver Detective

Get your message seen by 400,000 readers
Does your company offer a product or service? Now you can place an ad in the Windows Secrets Newsletter and be seen by more than 400,000 active buyers of PC hardware and software. Bid as much or as little as you like to get the ideal ad placement. Take advantage of our all-new design interface, allowing larger images and longer text, and get updated stats in real time!
Windows Secrets Newsletter

See your ad here

PERMALINKS

Use these permalinks to share info with friends

We love it when you include the links shown below in e-mails to your friends. This is better than forwarding your copy of our e-mail newsletter. (When our newsletter is forwarded, some recipients click "report as spam," and corporate filters start blocking our e-mails.)

The following link includes all articles this week: http://WindowsSecrets.com/comp/090910

Free content posted on Sept. 10, 2009:

TOP STORY
By Scott Dunn
Prevent keyloggers from grabbing your passwords
Windows' On-Screen Keyboard app is also logged
Holes in anti-keylogging software protection
The universal defense against password snoops

WACKY WEB WEEK
By Stephanie Small
Trade in your hops for grapes … fun will follow

You get all of the following in our paid content:

	LANGALIST PLUS By Fred Langa Reset your BIOS so USB keyboards work on boot-up A dead keyboard can spell big trouble Why won't my PC open the .cda files on a DVD? "Unable to display this folder" in Outlook inbox Recover a lost Vista key by calling Microsoft Oops, there goes another disk partition!
	IN THE WILD By Robert Vamosi Hackers exploit FTP flaw in Microsoft's IIS Beware of anonymous FTP users bearing gifts Partial workarounds offered for the IIS flaws Don't shoot the automatic Messenger upgrade Firefox checks Adobe Flash, so you don't have to
	PATCH WATCH By Susan Bradley New Web-based attacks target Windows Media holes Browsing without new patch could be hazardous JScript scripting engine susceptible to malware ActiveX dynamic edit control leads to exploits Office Genuine Advantage: Skip this "update" TCP/IP patch excludes Windows 2000 systems Wireless LAN AutoConfig Service spells trouble File-sharing zero-day vulnerability reported

Get our paid content by making any contribution

There's no fixed fee! Contribute whatever it's worth to you
Readers who make a financial contribution of any amount by Sept. 16, 2009, will immediately receive the latest issue of our full, paid newsletter and 12 months of new paid content. Pay as much or as little as you like — we want as many people as possible to have this information.

A portion of your support helps children in developing countries
Each month, we send a full year of sponsorship to a different child. Your contributions in September are helping us to sponsor Allan, a 6-year-old boy from a village in Ecuador. Children International channels development aid from donors to Allan and his community. We also sponsor kids through Plan USA and other respected agencies. More info

Use the link below to learn more about the benefits of becoming a paid subscriber!

More info on how to upgrade

Thanks in advance for your support!

Table of contents

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com LLC, Attn: #120 Editor, 1700 7th Ave., Suite 116, Seattle, WA 98101-1323 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editorial Director: Brian Livingston. Senior Editor: Ian Richards. Editor-at-Large: Fred Langa. Technical Editor: Dennis O'Reilly. Program Director: Tony Johnston. Web Developers: Dan Engler, Damian Wadley. Research Director: Stephanie Small. Research Analyst: Allison Espiritu. Copyeditor: Roberta Scholz. Contributing Editors: Susan Bradley, Scott Dunn, Michael Lasky, Woody Leonhard, Ryan Russell, Robert Vamosi, Becky Waring.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners.

HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period. Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,

Visit our Unsubscribe page.

Table of contents