When traveling in other countries I often have to use public computers to get online. I use these strategies to minimize the risk of having passwords harvested and used without my authorization. This can be done by software or hardware based keystroke loggers. They simply keep a log of all your keystrokes when using the computer. The owner of the computer can then retrace your actions and log into your online accounts after you leave the public computer.
There are two things I do to make it difficult for keystroke loggers to grab passwords from me: clever keyboarding and using a password manager. One often cited suggestion is to use an onscreen keyboard. However, there is no guarantee that the software is not also logging its input.
When I do have to type a password on a potentially insecure computer, I do so with a certain process. To teach this, let’s take an example from the building unique passwords article to use as our base. The password we will use is the fictional one we created for the MissionaryGeek website: mWi4sTs3iR.
When typing this password at a potentially risky internet cafe, I start the password like normal: mWi. Then I insert random gibberish for a set number of characters. So now my typed password so far is something like mWi3*huP9. The important thing here is to remember how many extra characters were inserted. I always use the same number of characters and the same characters. That way my password looks identical each time the system records it, but it won’t work for anyone trying to use it.
Next I type the rest of the password like normal. So my full password that is typed in looks like this: mWi3*huP94sTs3iR. Here is the important step: Using only the mouse, I go back and highlight the extra characters that were inserted that were not part of the real password. The reason you want to do this with the mouse is that keyloggers by themselves can’t see what the mouse is doing.
Now with the extra characters highlighted, hit the backspace key one time. What all of this looks like to a keyboard logger is that your password is: mWi3*huP94sTs3i. It sees that you hit the backspace key one time which assumes that your password is the whole thing minus the R at the end. Of course, you deleted those 6 extra characters in the middle and left the R alone. The keylogger only knows that something was deleted, but it does not know where or how many characters the mouse highlighted.
Using a password manager allows you to copy and paste your account passwords without doing any typing. A hardware or software keylogger can’t see what you don’t type.
To get into the online version of the password manager I use the above strategy to type in my master password. I don’t want to install the password manager on a computer that I don’t own no matter how often it prompts me that doing so will be more convenient. I am not looking for convenience, I am looking for security.
Now that I am logged into my password manager, I can copy and paste using the mouse. This completely eliminates a keyboard logger from doing its work.
Using incognito, or private browsing, and clearing the browser cache when done are two more ways to safeguard your information. These steps do not keep a keylogger from doing its work, but it protects you from other potential threats that are worth mentioning here.
Using Incognito Mode
I always try to use Firefox or Chrome on the potentially insecure computer. Both of these browsers have the ability to open a private browsing or incognito session. No passwords are saved by the browsers in these special browsing sessions. This protects you from the browser conveniently storing login information for you.
Clearing Browser Cache
Even though I use an incognito window or private browsing session, I will still manually clear the cache of any browser I use. Also be sure to manually close the browser at the end of your session. This causes one more step in the browser memory to be flushed.
Clearing Firefox Cache and History
Instead of giving you all the steps here, let me point you to the Mozilla Firefox website which does a good job of explaining how to delete the cache and clear your browsing history. These are two distinct processes that you should do when using Firefox. Don’t forget to shut down the browser when your are done.
Clearing Chrome Cache and History
In Chrome, find the Menu which is usually indicated by the three horizontal bars symbol: ☰. Choose Settings and then Advanced settings. Click on the box that says Clear browsing data… Select every item in the list and choose the option, Obliterate the following items from: the beginning of time. Then hit the Clear browsing data button. Make sure you close the browser after you complete the wipe of information.
Take a peek at the cable connecting the keyboard to the computer. A hardware keylogger will be plugged into the computer between the keyboard and the machine. You can unplug the keyboard from the keystroke logger and plug it back in directly to the USB port. However, this only eliminates a hardware keylogger. If they also have a software keylogger in place, you still are not safe. Because of this, I personally don’t even bother looking at the keyboard connection.
Change your passwords when you get back from your trip. Take some time to note all the accounts you log into from the foreign machine and change those as soon as you get to a known safe computer. You should also change your master password for your password manager software.
Is This Effective?
These are the best tips I know for bypassing keyloggers. I have been using this strategy for a few years and have never had a password compromised that I know of. Do you have any better suggestions? Share them in the comments below.