| By Scott Dunn |
Dozens of readers responded to my Sept. 10 Top Story, many of them proposing alternative ways to evade keyloggers other than the “revised Vesik method” I described.
No method can make you completely safe when using a public computer, so you must balance convenience with the level of risk that’s acceptable to you.
The Clipboard’s no safer than the keyboard
The revised Vesik method involves typing nonsense characters into a password input box when using a public PC and then rearranging some of the letters to form your actual password with the mouse. If the PC contains a hardware keylogger or is infected with a software keylogger, rearranging a password in this way will usually suffice to obscure your credentials. Most hackers will concentrate on the 99% of users who type in their passwords at Internet cafés in the usual way.
One proposal sent in by many, many, many readers was a variation on a single theme. Namely, keep your sign-in information on a USB flash drive or memory stick, then copy and paste the info into the appropriate fields when you’re required to use a public PC or other unsecured computer.
Unfortunately, many keyloggers capture any information you place into the Windows Clipboard. I tested the copy-and-paste technique using the All In One Keylogger from RelyTec. (For more info, see the vendor’s site.) The program easily captured the sign-in IDs and passwords entered, whether I used the standard menu options (Edit, Copy and Edit, Paste) or the keyboard shortcuts Ctrl+C and Ctrl+V.
In my tests, the All In One Keylogger wasn’t able to capture the information when I performed a copy-paste operation using a context (right-click) menu. But that’s not much to rest one’s hopes on. Other keyloggers do succeed at capturing data copied via context-menu options.
Note that many password-manager products require you to copy and paste your passwords from their database to an input box. (See my Sept. 18, 2008, review of password managers.) Any product using the Clipboard in this manner is vulnerable to a keylogger that captures data from the Clipboard.
Other strategies for blocking keyloggers
Readers suggested various ways of carrying one’s passwords on a flash drive. Jeff H. asked, for example:
- “What about surfing from suspect PCs using only Firefox Portable running off a USB drive, with all your passwords stored in the browser?”
To establish a master password in Firefox, pull down the Tools menu, click Options, select the Security tab, and turn on Use a master password. After doing this, you must enter your master password once per browser session.
Another reader, Val Ingraham, proposed signing in using a tool such as the portable version of Siber Systems’ free RoboForm password manager, available on the company’s download page.
Both of these approaches were able to evade the keylogger I tested them with and would likely confound other keyloggers as well.
However, any method that permits automatic sign-in from a flash drive poses a risk of physical security. A flash drive is easy to lose. When you misplace one, you could be handing over your passwords to whoever finds the device — if you don’t enable a master password.
Can freeware provide the privacy you need?
Several readers like products that are specifically designed to defeat keyloggers. Simon Bleasdale recommends Neo’s SafeKeys 2008, available for free on the Alpin Software site. The program promises the same functionality as the Windows On-Screen Keyboard (OSK) utility described in the original tip — but without OSK’s security risks.
(OSK sends keystrokes in a way that keyloggers can see and record. To use OSK if you need it for entering something other than a password, open the software by clicking Start, All Programs, Accessories, Accessibility, On-Screen Keyboard.)
Neo’s SafeKeys 2008 displays a small window with a simulated keyboard on which you can type your sign-in, password, and other information — just as with OSK. But unlike the Microsoft utility, Neo’s SafeKeys 2008 doesn’t transmit information in a way that can be picked up by keyloggers. Nor does the program use the Clipboard. Instead, you type your info in the SafeKeys 2008 window and then drag the data to the appropriate text box in your browser.
Neo’s SafeKeys 2008 successfully evaded the All In One Keylogger product in my tests. Other options help you foil keyloggers that regularly take screen captures to record your PC activities. According to the Alpin Software site, however, the utility’s drag-and-drop methods don’t work with all products — including the Opera browser.
No product will ever be able to guarantee your safety from snoops when you use a public computer. Fortunately, the techniques and products described here and in the previous article can reduce your risk substantially.
You’re the only person, however, who can decide what constitutes an acceptable risk level for your data. That may mean never signing in to Web sites using PCs at Internet cafés — or wherever you’re not sure adequate security precautions have been taken.
| Readers Jeff, Val, and Simon will each receive a gift certificate for a book, CD, or DVD of their choice for sending tips we printed. Send us your tips via the Windows Secrets contact page.|
Windows Secrets contributing editor Scott Dunn has been a contributing editor of PC World since 1992 and currently writes for the Here’s How section of that magazine.