Secure way to log in to a website on someone else's computer











up vote
72
down vote

favorite
12












Suppose I am in a situation that I am forced to log in to my account using someone else's computer. Is there any secure way to do that so that I would be sure that my login details (i.e. password) are not recorded by any means (e.g. keystroke logging)? Or if it is impossible, what are the ways to at least mitigate the risks?



Although related, but note that this is a bit different from this question since I am not using my own computer to log in.










share|improve this question









New contributor




today is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 8




    Can you create a virtual machine on their box?
    – DarkMatter
    Nov 29 at 16:46






  • 4




    @DarkMatter Unfortunately, no. I am not allowed to do that. Even if I am allowed, I guess it would take some time (> 15 min) to do that and they don't have enough patience :) Although, I am interested to know how that helps. Please include it as an answer if you would like.
    – today
    Nov 29 at 16:50






  • 5




    it all depends on how they are monitoring your activity... operating inside of your own clean VM on their box (using a clean OSK) will bypass a number of the ways they could monitor your activity. Furthermore you can also delete the VM afterward to further remove evidence of your activities. Ultimately though if they own the hardware in theory there is no way to be bullet-proof (2FA helps some to mitigate ramifications of their monitoring)
    – DarkMatter
    Nov 29 at 17:25








  • 31




    A live OS (booted via USB or DVD) is probably more handy. However that won't protect you from hardware keyloggers for example. The best solution seems to be what Cowthulhu suggested in the answer, 2FA, when available. Also maybe change password and force a logout on all devices once you are back home on your computer, if the service makes this possible. A lot of this also depends on how knowledgeable and determined is your "enemy".
    – reed
    Nov 29 at 18:17








  • 2




    A simple option is after you're finished to use your phone to change your password. In the past, some services had the ability to generate a one-time login password from your phone, but these seem to have fallen out of favour, presumably with 2FA taking their place.
    – paj28
    Nov 29 at 20:32















up vote
72
down vote

favorite
12












Suppose I am in a situation that I am forced to log in to my account using someone else's computer. Is there any secure way to do that so that I would be sure that my login details (i.e. password) are not recorded by any means (e.g. keystroke logging)? Or if it is impossible, what are the ways to at least mitigate the risks?



Although related, but note that this is a bit different from this question since I am not using my own computer to log in.










share|improve this question









New contributor




today is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 8




    Can you create a virtual machine on their box?
    – DarkMatter
    Nov 29 at 16:46






  • 4




    @DarkMatter Unfortunately, no. I am not allowed to do that. Even if I am allowed, I guess it would take some time (> 15 min) to do that and they don't have enough patience :) Although, I am interested to know how that helps. Please include it as an answer if you would like.
    – today
    Nov 29 at 16:50






  • 5




    it all depends on how they are monitoring your activity... operating inside of your own clean VM on their box (using a clean OSK) will bypass a number of the ways they could monitor your activity. Furthermore you can also delete the VM afterward to further remove evidence of your activities. Ultimately though if they own the hardware in theory there is no way to be bullet-proof (2FA helps some to mitigate ramifications of their monitoring)
    – DarkMatter
    Nov 29 at 17:25








  • 31




    A live OS (booted via USB or DVD) is probably more handy. However that won't protect you from hardware keyloggers for example. The best solution seems to be what Cowthulhu suggested in the answer, 2FA, when available. Also maybe change password and force a logout on all devices once you are back home on your computer, if the service makes this possible. A lot of this also depends on how knowledgeable and determined is your "enemy".
    – reed
    Nov 29 at 18:17








  • 2




    A simple option is after you're finished to use your phone to change your password. In the past, some services had the ability to generate a one-time login password from your phone, but these seem to have fallen out of favour, presumably with 2FA taking their place.
    – paj28
    Nov 29 at 20:32













up vote
72
down vote

favorite
12









up vote
72
down vote

favorite
12






12





Suppose I am in a situation that I am forced to log in to my account using someone else's computer. Is there any secure way to do that so that I would be sure that my login details (i.e. password) are not recorded by any means (e.g. keystroke logging)? Or if it is impossible, what are the ways to at least mitigate the risks?



Although related, but note that this is a bit different from this question since I am not using my own computer to log in.










share|improve this question









New contributor




today is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











Suppose I am in a situation that I am forced to log in to my account using someone else's computer. Is there any secure way to do that so that I would be sure that my login details (i.e. password) are not recorded by any means (e.g. keystroke logging)? Or if it is impossible, what are the ways to at least mitigate the risks?



Although related, but note that this is a bit different from this question since I am not using my own computer to log in.







authentication






share|improve this question









New contributor




today is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




today is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 23 hours ago









Boann

1815




1815






New contributor




today is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked Nov 29 at 16:44









today

469147




469147




New contributor




today is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





today is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






today is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 8




    Can you create a virtual machine on their box?
    – DarkMatter
    Nov 29 at 16:46






  • 4




    @DarkMatter Unfortunately, no. I am not allowed to do that. Even if I am allowed, I guess it would take some time (> 15 min) to do that and they don't have enough patience :) Although, I am interested to know how that helps. Please include it as an answer if you would like.
    – today
    Nov 29 at 16:50






  • 5




    it all depends on how they are monitoring your activity... operating inside of your own clean VM on their box (using a clean OSK) will bypass a number of the ways they could monitor your activity. Furthermore you can also delete the VM afterward to further remove evidence of your activities. Ultimately though if they own the hardware in theory there is no way to be bullet-proof (2FA helps some to mitigate ramifications of their monitoring)
    – DarkMatter
    Nov 29 at 17:25








  • 31




    A live OS (booted via USB or DVD) is probably more handy. However that won't protect you from hardware keyloggers for example. The best solution seems to be what Cowthulhu suggested in the answer, 2FA, when available. Also maybe change password and force a logout on all devices once you are back home on your computer, if the service makes this possible. A lot of this also depends on how knowledgeable and determined is your "enemy".
    – reed
    Nov 29 at 18:17








  • 2




    A simple option is after you're finished to use your phone to change your password. In the past, some services had the ability to generate a one-time login password from your phone, but these seem to have fallen out of favour, presumably with 2FA taking their place.
    – paj28
    Nov 29 at 20:32














  • 8




    Can you create a virtual machine on their box?
    – DarkMatter
    Nov 29 at 16:46






  • 4




    @DarkMatter Unfortunately, no. I am not allowed to do that. Even if I am allowed, I guess it would take some time (> 15 min) to do that and they don't have enough patience :) Although, I am interested to know how that helps. Please include it as an answer if you would like.
    – today
    Nov 29 at 16:50






  • 5




    it all depends on how they are monitoring your activity... operating inside of your own clean VM on their box (using a clean OSK) will bypass a number of the ways they could monitor your activity. Furthermore you can also delete the VM afterward to further remove evidence of your activities. Ultimately though if they own the hardware in theory there is no way to be bullet-proof (2FA helps some to mitigate ramifications of their monitoring)
    – DarkMatter
    Nov 29 at 17:25








  • 31




    A live OS (booted via USB or DVD) is probably more handy. However that won't protect you from hardware keyloggers for example. The best solution seems to be what Cowthulhu suggested in the answer, 2FA, when available. Also maybe change password and force a logout on all devices once you are back home on your computer, if the service makes this possible. A lot of this also depends on how knowledgeable and determined is your "enemy".
    – reed
    Nov 29 at 18:17








  • 2




    A simple option is after you're finished to use your phone to change your password. In the past, some services had the ability to generate a one-time login password from your phone, but these seem to have fallen out of favour, presumably with 2FA taking their place.
    – paj28
    Nov 29 at 20:32








8




8




Can you create a virtual machine on their box?
– DarkMatter
Nov 29 at 16:46




Can you create a virtual machine on their box?
– DarkMatter
Nov 29 at 16:46




4




4




@DarkMatter Unfortunately, no. I am not allowed to do that. Even if I am allowed, I guess it would take some time (> 15 min) to do that and they don't have enough patience :) Although, I am interested to know how that helps. Please include it as an answer if you would like.
– today
Nov 29 at 16:50




@DarkMatter Unfortunately, no. I am not allowed to do that. Even if I am allowed, I guess it would take some time (> 15 min) to do that and they don't have enough patience :) Although, I am interested to know how that helps. Please include it as an answer if you would like.
– today
Nov 29 at 16:50




5




5




it all depends on how they are monitoring your activity... operating inside of your own clean VM on their box (using a clean OSK) will bypass a number of the ways they could monitor your activity. Furthermore you can also delete the VM afterward to further remove evidence of your activities. Ultimately though if they own the hardware in theory there is no way to be bullet-proof (2FA helps some to mitigate ramifications of their monitoring)
– DarkMatter
Nov 29 at 17:25






it all depends on how they are monitoring your activity... operating inside of your own clean VM on their box (using a clean OSK) will bypass a number of the ways they could monitor your activity. Furthermore you can also delete the VM afterward to further remove evidence of your activities. Ultimately though if they own the hardware in theory there is no way to be bullet-proof (2FA helps some to mitigate ramifications of their monitoring)
– DarkMatter
Nov 29 at 17:25






31




31




A live OS (booted via USB or DVD) is probably more handy. However that won't protect you from hardware keyloggers for example. The best solution seems to be what Cowthulhu suggested in the answer, 2FA, when available. Also maybe change password and force a logout on all devices once you are back home on your computer, if the service makes this possible. A lot of this also depends on how knowledgeable and determined is your "enemy".
– reed
Nov 29 at 18:17






A live OS (booted via USB or DVD) is probably more handy. However that won't protect you from hardware keyloggers for example. The best solution seems to be what Cowthulhu suggested in the answer, 2FA, when available. Also maybe change password and force a logout on all devices once you are back home on your computer, if the service makes this possible. A lot of this also depends on how knowledgeable and determined is your "enemy".
– reed
Nov 29 at 18:17






2




2




A simple option is after you're finished to use your phone to change your password. In the past, some services had the ability to generate a one-time login password from your phone, but these seem to have fallen out of favour, presumably with 2FA taking their place.
– paj28
Nov 29 at 20:32




A simple option is after you're finished to use your phone to change your password. In the past, some services had the ability to generate a one-time login password from your phone, but these seem to have fallen out of favour, presumably with 2FA taking their place.
– paj28
Nov 29 at 20:32










11 Answers
11






active

oldest

votes

















up vote
86
down vote













This is an interesting question!



The rule of thumb is that if someone else has control of the device (and they're determined enough), they will always be able to monitor and modify all of your actions on the device.



We can (to a somewhat limited extent) get around this though! Two-factor authentication can be used to ensure that even if someone has your password, they cannot get into your account without also having access to a separate device (owned and controlled by you).



Keep in mind that once you log in, the computer ultimately has control over your interaction with the website, and as a result it could trivially see everything you do on the site and, less trivially, modify your requests to the site (including not logging you out properly when you're done, and potentially changing your login details to lock you out of your own account).



This all depends on how worried you are about being attacked - if you're just logging into Facebook on a friends computer, you can probably trust that when you hit "Log Out", it actually logs you out. If you're logging into your bank, however, you may want to stick to devices you control.



Additionally, consider the following, via user TemporalWolf




Some websites allow for the generation of single-use one time passwords which sidesteps any sort of password logging... as you mentioned, this doesn't stop them from mucking with the now authenticated session.







share|improve this answer



















  • 2




    "you can probably trust that when you hit "Log Out", it actually logs you out." Unless your friend unknowingly has malware on their computer.
    – Qwertie
    Nov 30 at 5:07






  • 12




    Since this is saying that someone else having control of a device ensures they will always be able to monitor actions that take place on it, it is the only correct answer.
    – forest
    Nov 30 at 7:25










  • @NotThatGuy I think if you submit an edit request?
    – Cowthulhu
    2 days ago






  • 3




    The issue with 2FA is that if indeed the attacker did have a keylogger and indeed modified the requests to the website(s) to essentially block a logout, they would then be able to change your account password/2FA settings having keylogged your password when you logged in. I don't know of any services that require 2FA to change the password once already authenticated. So that's an interesting dilemma.
    – Chris Cirefice
    2 days ago








  • 2




    "If you're entering missile launch codes however, you may want to stick to devices you control." -- aren't those pretty much a textbook example of immunity to replay attacks? You can't kick off global thermonuclear war twice.
    – Steve Jessop
    yesterday




















up vote
28
down vote













In my practice, when I need extra security, I usually change the password on my phone (or another trusted device), then log in on the untrusted computer and after everything is done, change my password back (if possible).



This relies on the fact that changing password logs you out everywhere, for most websites. It's rather practical.



Alternatively, some websites offer a "session control" where you can force detach / terminate sessions if you want.





Besides what I said above, I also have a 128 GiB portable SSD with me, formatted to GPT and has 3 partitions: the EFI System Partition, an Ubuntu, and a Windows To Go.



While software security wasn't my concern while creating this portable SSD, it is undoubtedly a good gadget to have for the purpose. Theoretically and practically, running operating systems on such self-made pieces of storage provides a fully trusted software environment, and can 100% eliminate any software thread on the foreign machine.



As others have answered, such gadgets usually aren't effective against hardware-based intrusion, for example a key logger (unless some stupid ones require drivers to work, then you can LOL). For those things, you have better check them by looking at the hardware ports. If there's anything malicious inside the crate, then you're out of luck.



But again, it's an interpersonal question. If you're logging in on your trusted friend's computer, and the friend isn't a techie, you probably need no more actions than launching the browser in incognito or InPrivate (Internet Explorer) mode.






share|improve this answer























  • That's a good idea, which doesn't require special knowledge nor tools, and keeps things secure enough.
    – a25bedc5-3d09-41b8-82fb-ea6c353d75ae
    Nov 30 at 13:06










  • Having a portable SSD is surely a good idea, but looking from the other side, I would never let somebody boot my computer with his own OS.
    – martinstoeckli
    1 hour ago


















up vote
16
down vote













Use SQRL



If a website supports SQRL (https://www.grc.com/sqrl/sqrl.htm) then you have the option of having it display a QR code in the computer's browser that you let the SQRL app in your cell phone read, and thereby negotiate the authentication out of band.



SQRL is not yet widely adopted, but this precise use case was designed in from the beginning. (The other main use case is a SQRL app on your computer working in concert with the browser). In neither case is a password transmitted; SQRL uses Elliptic Curve public/private key technology to sign a nonce presented by the server to prove the user has the private key associated with the public key stored on the server in the user's account info.






share|improve this answer





















  • It's a very interesting method! I was not aware of it at all. Thanks for mentioning it.
    – today
    Nov 29 at 21:54






  • 3




    The concept is definitely interesting, although it may need some (more) peer review and usability testing in practice. Anyway, this solution is not practical today, and the author of the question seemed to ask mainly as a user and not as a developer. Try using this method with Google, Amazon or Facebook today.
    – caw
    Nov 30 at 1:28










  • Unfortunately, the question doesn't specify what "my account" means - on your own website? On Facebook? That's a difference because in one you control the login mechanism and on the other you don't.
    – Tom
    Nov 30 at 5:10






  • 18




    security.blogoverflow.com/2013/10/debunking-sqrl - A well designed solution such as U2F is probably better than what Steve Gibson (which is largely a crank) managed to sting together by himself.
    – vidarlo
    Nov 30 at 6:41












  • What about something like the WhatsApp Desktop App, where you login by scanning a QR code and can log out from your smartphone?
    – pytago
    Nov 30 at 10:47


















up vote
13
down vote













If you encounter this situation regularly, try the following:




  1. Create a Tails live USB stick. Tails is a Linux operating system designed to run off a USB, which can be booted on most computers. Using Tails means that you don't need to worry about any software that the hostile computer may have installed. Because you are completely bypassing it from boot.


  2. Use the on-screen keyboard. You should cover this with your hand as you type, to prevent anyone from observing. This defends against hardware based key-loggers. Note that you don't need to worry about screen-recording software, because you are running Tails, which means that you have full control over all software running on the system.



Edit:



As @Xen2050 mentioned in the comments, you can also achieve this with other operating systems which may be more user friendly. For instance, here are instructions for creating a live Ubuntu Linux USB on Windows, Mac or Ubuntu. And here are the instructions for accessing the on-screen keyboard on Ubuntu.



Potential weaknesses of this method:



This method is vulnerable to the following:




  • Hardware based screen recording. It is possible to insert a device between the computer and the screen which will record everything sent to the screen. For example, this one. To protect against this, inspect the cable, and make sure there are no devices between the computer and the screen. Note however, that it is possible to install internal screen recording devices which would be much more difficult to detect. If you suspect this, then you may be able to circumvent them by unplugging the screen from the back of the computer, and reconnecting it to a different port.

  • Malicious firmware, BIOS, rootkit, etc. This is probably the most difficult vulnerability to defend against. If you suspect that the computer you are using has malicious firmware, don't use it! Find another way to login to the website, or don't login to it.






share|improve this answer










New contributor




daviewales is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.














  • 3




    For unknown hardware, and since you don't seem to need the network properties of TAILS, using a more friendly and bootable distro like Mint or Ubuntu or other beginner-friendly one might be a lot more successful; TAILS might not have nearly as much luck booting on "new" unknown devices
    – Xen2050
    Nov 30 at 11:41












  • @Xen2050 Windows To Go is also a good alternative!
    – iBug
    Nov 30 at 13:19










  • Good point @Xen2050
    – daviewales
    2 days ago










  • Under Hardware based recording, you could actually mention a hardware based keystroke logger that may be embedded in keyboard itself. This seems more likely if the person who owns the computer is trying to steal the OP's passwords.
    – Private
    2 days ago






  • 1




    "Using the on-screen keyboard defends against hardware based key-loggers" - unless they include a mouse logger (for click coordinates etc) :-)
    – Bergi
    23 hours ago


















up vote
5
down vote













There is one thing you can do on sites that allow it (Google being one): Use a "have" factor of authentication, such as TOTP or a mobile app to approve logins. You don't have to use 2FA - that can be your only factor. I have some of my non-critical servers set to allow password OR totp, so I can log in with one or the other, without needing both. While, as others pointed out, that doesn't make you completely secure (after you log in the attacker could disable input and do whatever they want now that you're logged in), it prevents disclosing any passwords.






share|improve this answer




























    up vote
    4
    down vote













    It is a major PIA, but relatively secure with respect to protecting your password. Mostly because it is such a PIA that nobody is likely to put together what is needed to capture it. Which means the caveat about security through obscurity likely applies here...




    1. Open text editor of choice.

    2. Type out the full alphabet in both upper and lower case.

    3. type out the full range of numbers and symbols that are available.

    4. Copy and paste letter by letter to enter your password on the web form.

    5. As an added layer of obfuscation, don't grab the letters in the same order as the final password


    I can think of a few techniques where I might be able to capture the password of someone using this technique, but none of them are what I would consider easy or straightforward.



    Also worth noting that this technique was originally suggested as a counter measure by my CEH instructor. It is not perfect, but it is a semi-decent option that doesn't require much in the way of prior preparation.






    share|improve this answer








    New contributor




    Rozwel is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.














    • 16




      Surely an off-the-shelf screen recorder would counter this?
      – Draconis
      Nov 29 at 20:20










    • Interesting solution, especially that I see it was recommended by your CEH instructor! Actually, I was thinking about such a solution before you post this but then I thought maybe it is a bit weird! Of course, as @Draconis mentioned, an screen recorder might be able to counter this as well.
      – today
      Nov 29 at 20:40






    • 3




      @Draconis probably, hadn't considered that option but high chance it would work. I had my doubts when this was suggested by the instructor, but it is better than nothing, and does protect against most keystroke loggers. But if I were wanting to capture someone's login credentials for a web site I would use a browser extension or proxy to log the post data. Making all of this worthless...
      – Rozwel
      Nov 29 at 20:44








    • 5




      A clipboard logger would work very well up until step 5. Most packaged malware I've seen includes a clipboard logger with keylogger.
      – Nathan Goings
      Nov 29 at 21:39






    • 1




      @NathanGoings It's not like there would be that many permutations. Checking every combination one by one seems trivial.
      – JoL
      Nov 29 at 21:43


















    up vote
    3
    down vote













    The best way to protect yourself is to tell the person that you are not comfortable entering your password at their computer.



    If you have probable cause or general paranoia then do not perform unsafe actions.



    Expecting to thoroughly detect and/or mitigate all threat models in a matter of seconds is ludicrous.





    What is the threat model anyways? Do you not trust the person? Do you not trust the computer? Are you trying to prevent their access from the particular website which you are logging in to? Are you trying to prevent the discovery of your password because you use it for a hundred other services such as personal banking? Are you simply trying to figure out a universal way to not be compromised regardless of which foreign computer you encounter in the future? Are you trying to prevent the details of the post-login screen from being recorded? You may wish to sweep the area for any hidden video recording devices in the ceiling.






    share|improve this answer























    • I think the OP is worrying about foreign immigration officers asking him to show his social media
      – usr-local-ΕΨΗΕΛΩΝ
      5 hours ago


















    up vote
    3
    down vote













    If you need to login using someone else's computer, there is no certain way to know for certain if there is any form of spying software. Even if it is someone you trust, they could be infected with a virus or a similar nefarious device, and it can be hard to impossible to know if it is infected. Always assume that a nefarious entity will still be able to view/access anything that happens on the computer. Here are a few ways you can try to mitigate the risks.



    There is no possible way to ensure that the person's OS is not compromised. You can look at the running processes, examine call stacks, network requests or anything, but spyware programs can be extremely well disguised. The best possible solution is to boot from a live USB stick using a linux distribution such as Ubuntu, puppy linux or Kali linux. This means that you should have full control of the software running on the computer, although a determined hacker could insert malicious code into the BIOS or bootloader of the computer, changing the actual code of the operating system.



    Mitigation of Hardware based vulnerabilities




    • Check the cable between the computer and the display. A device can be inserted in between them allowing a hacker to see the display output.

    • Avoid using a wireless keyboard or mouse. The signal can be intercepted between the transmitter and receiver, exposing keystrokes and mouse movements, even via a separate device.

    • Plug any USB devices directly into the motherboard. Don't use a PCIe slot, as the device could be storing/transmitting keystrokes/commands. The same applies to front panel connectors.

    • Use a different keyboard, if possible. Devices can take the sounds of individual keys being pressed to decipher which key it was. Unplug any microphones connected to the computer, just in case.

    • Look to see if there are any extra PCIe or serial port devices plugged in. Ensure only the required ones are plugged in, just in case.


    Software methods of decreasing the risk




    • Ensure you connect to a secured WiFi network, or ethernet, if you know it is safe. It is probably better to use mobile data, and a mobile hotspot, if possible, so you don't have to rely on their internet connection. Use a USB cable as well, if possible, so you don't run the risk of an alternative WiFi connection intercepting the signal instead.

    • Use SSL. This is obvious, but you must ensure the certificate authority is the one that you would expect to see, as it is possible for an entity to insert a self-signed certificate into the chain.


    The last thing is that you should, if possible, temporarily change your password (maybe using your phone) while you login using that computer, then change it back afterwards, so if the password is compromised, it will not be usable after it is changed back.






    share|improve this answer








    New contributor




    Theoremiser is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.

























      up vote
      1
      down vote













      In theory, if the site doesn't provide you a better way to do this, there is still a way: login on a device that is under your control, and transfer the session cookie you receive from that device to the untrusted computer. This will allow the untrusted computer to perform any operation you can perform on the site once logged in, but unless the site has fatally bad security design, it will not allow the untrusted computer to change your password, change the email address associated with the account, or perform other account-takeover operations.



      Once you're done, you can use the trusted device you control to log out its session cookie (which you copied from it) by performing the logout operation there, or perform a "logout all devices" operation if the site provides such a feature.



      Note that under this scheme, your password is never entered on the untrusted computer, and thereby it has no means of recording/capturing it. At best it can capture the session cookie, which you will invalidate by logging out using the trusted device once you're done.






      share|improve this answer




























        up vote
        0
        down vote













        If you trust that person, go ahead and use their computer. Consider creating a separate browser profile which you can wipe clean after you're done without erasing that person's cookies / settings / whatever. Take note of any attachments you download so that you can remove these as well. Don't just open attached files, unless you want to play detective figuring out which of the possible "temp" locations was used to store them. And avoid manipulating any sensitive data which is not related to the purpose forcing you to use someone else's computer.



        If you don't trust the person, don't use their computer. There's no way of securing an unknown computer 100%, and even less so without doing things which will make the other person suspect that you're trying to hack them. At which point you will probably be denied to use their computer anyway.






        share|improve this answer





















        • I trust my grandmother. I do not trust that her computer is clean.
          – schroeder
          2 mins ago


















        up vote
        -2
        down vote













        When you suspect the system is keylogged you would need to be able to interrupt that process to do what you are asking.



        That might be a visible process though - so if it's mission critical try finding that process or creating another user account with an encrypted terminal in a sandbox to see if you can avoid logging that way - i.e. Linux with encrypted home folder & swap as an example.






        share|improve this answer

















        • 1




          How would a sandboxed process or an encrypted home directory defeat keylogging?
          – forest
          Nov 30 at 7:23










        • I suggested interrupting the keylogging process - If the process monitored one user account and another account were encrypted - it might accomplish the desired result of not being logged. Attempting this in a sandboxed environment rather than just doing it cuts down on the risk in case it doesn't.
          – user192527
          Nov 30 at 7:25












        • If you are running under a different user, then there's no need to encrypt anything or use sandboxes. For Linux (since you mentioned Linux), individual users are isolated from each other and X11-based keyloggers will not work. However, if the hardware is controlled by someone malicious, then even encryption and a sandboxed terminal wouldn't help.
          – forest
          Nov 30 at 7:27










        • I suggested testing the idea in a sandbox. The main goal is to interrupt the keylogger if possible and if not to try to obfuscate by using other accounts etc.
          – user192527
          Nov 30 at 7:36






        • 1




          There are hardware keyloggers. This answer assume there is some "process" to "interrupt," which is totally wrong. It might mitigate one very specific risk, but it completely ignores other serious risks.
          – David Conrad
          yesterday











        Your Answer








        StackExchange.ready(function() {
        var channelOptions = {
        tags: "".split(" "),
        id: "162"
        };
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function() {
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled) {
        StackExchange.using("snippets", function() {
        createEditor();
        });
        }
        else {
        createEditor();
        }
        });

        function createEditor() {
        StackExchange.prepareEditor({
        heartbeatType: 'answer',
        convertImagesToLinks: false,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: null,
        bindNavPrevention: true,
        postfix: "",
        imageUploader: {
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        },
        noCode: true, onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        });


        }
        });






        today is a new contributor. Be nice, and check out our Code of Conduct.










        draft saved

        draft discarded


















        StackExchange.ready(
        function () {
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f198726%2fsecure-way-to-log-in-to-a-website-on-someone-elses-computer%23new-answer', 'question_page');
        }
        );

        Post as a guest















        Required, but never shown

























        11 Answers
        11






        active

        oldest

        votes








        11 Answers
        11






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes








        up vote
        86
        down vote













        This is an interesting question!



        The rule of thumb is that if someone else has control of the device (and they're determined enough), they will always be able to monitor and modify all of your actions on the device.



        We can (to a somewhat limited extent) get around this though! Two-factor authentication can be used to ensure that even if someone has your password, they cannot get into your account without also having access to a separate device (owned and controlled by you).



        Keep in mind that once you log in, the computer ultimately has control over your interaction with the website, and as a result it could trivially see everything you do on the site and, less trivially, modify your requests to the site (including not logging you out properly when you're done, and potentially changing your login details to lock you out of your own account).



        This all depends on how worried you are about being attacked - if you're just logging into Facebook on a friends computer, you can probably trust that when you hit "Log Out", it actually logs you out. If you're logging into your bank, however, you may want to stick to devices you control.



        Additionally, consider the following, via user TemporalWolf




        Some websites allow for the generation of single-use one time passwords which sidesteps any sort of password logging... as you mentioned, this doesn't stop them from mucking with the now authenticated session.







        share|improve this answer



















        • 2




          "you can probably trust that when you hit "Log Out", it actually logs you out." Unless your friend unknowingly has malware on their computer.
          – Qwertie
          Nov 30 at 5:07






        • 12




          Since this is saying that someone else having control of a device ensures they will always be able to monitor actions that take place on it, it is the only correct answer.
          – forest
          Nov 30 at 7:25










        • @NotThatGuy I think if you submit an edit request?
          – Cowthulhu
          2 days ago






        • 3




          The issue with 2FA is that if indeed the attacker did have a keylogger and indeed modified the requests to the website(s) to essentially block a logout, they would then be able to change your account password/2FA settings having keylogged your password when you logged in. I don't know of any services that require 2FA to change the password once already authenticated. So that's an interesting dilemma.
          – Chris Cirefice
          2 days ago








        • 2




          "If you're entering missile launch codes however, you may want to stick to devices you control." -- aren't those pretty much a textbook example of immunity to replay attacks? You can't kick off global thermonuclear war twice.
          – Steve Jessop
          yesterday

















        up vote
        86
        down vote













        This is an interesting question!



        The rule of thumb is that if someone else has control of the device (and they're determined enough), they will always be able to monitor and modify all of your actions on the device.



        We can (to a somewhat limited extent) get around this though! Two-factor authentication can be used to ensure that even if someone has your password, they cannot get into your account without also having access to a separate device (owned and controlled by you).



        Keep in mind that once you log in, the computer ultimately has control over your interaction with the website, and as a result it could trivially see everything you do on the site and, less trivially, modify your requests to the site (including not logging you out properly when you're done, and potentially changing your login details to lock you out of your own account).



        This all depends on how worried you are about being attacked - if you're just logging into Facebook on a friends computer, you can probably trust that when you hit "Log Out", it actually logs you out. If you're logging into your bank, however, you may want to stick to devices you control.



        Additionally, consider the following, via user TemporalWolf




        Some websites allow for the generation of single-use one time passwords which sidesteps any sort of password logging... as you mentioned, this doesn't stop them from mucking with the now authenticated session.







        share|improve this answer



















        • 2




          "you can probably trust that when you hit "Log Out", it actually logs you out." Unless your friend unknowingly has malware on their computer.
          – Qwertie
          Nov 30 at 5:07






        • 12




          Since this is saying that someone else having control of a device ensures they will always be able to monitor actions that take place on it, it is the only correct answer.
          – forest
          Nov 30 at 7:25










        • @NotThatGuy I think if you submit an edit request?
          – Cowthulhu
          2 days ago






        • 3




          The issue with 2FA is that if indeed the attacker did have a keylogger and indeed modified the requests to the website(s) to essentially block a logout, they would then be able to change your account password/2FA settings having keylogged your password when you logged in. I don't know of any services that require 2FA to change the password once already authenticated. So that's an interesting dilemma.
          – Chris Cirefice
          2 days ago








        • 2




          "If you're entering missile launch codes however, you may want to stick to devices you control." -- aren't those pretty much a textbook example of immunity to replay attacks? You can't kick off global thermonuclear war twice.
          – Steve Jessop
          yesterday















        up vote
        86
        down vote










        up vote
        86
        down vote









        This is an interesting question!



        The rule of thumb is that if someone else has control of the device (and they're determined enough), they will always be able to monitor and modify all of your actions on the device.



        We can (to a somewhat limited extent) get around this though! Two-factor authentication can be used to ensure that even if someone has your password, they cannot get into your account without also having access to a separate device (owned and controlled by you).



        Keep in mind that once you log in, the computer ultimately has control over your interaction with the website, and as a result it could trivially see everything you do on the site and, less trivially, modify your requests to the site (including not logging you out properly when you're done, and potentially changing your login details to lock you out of your own account).



        This all depends on how worried you are about being attacked - if you're just logging into Facebook on a friends computer, you can probably trust that when you hit "Log Out", it actually logs you out. If you're logging into your bank, however, you may want to stick to devices you control.



        Additionally, consider the following, via user TemporalWolf




        Some websites allow for the generation of single-use one time passwords which sidesteps any sort of password logging... as you mentioned, this doesn't stop them from mucking with the now authenticated session.







        share|improve this answer














        This is an interesting question!



        The rule of thumb is that if someone else has control of the device (and they're determined enough), they will always be able to monitor and modify all of your actions on the device.



        We can (to a somewhat limited extent) get around this though! Two-factor authentication can be used to ensure that even if someone has your password, they cannot get into your account without also having access to a separate device (owned and controlled by you).



        Keep in mind that once you log in, the computer ultimately has control over your interaction with the website, and as a result it could trivially see everything you do on the site and, less trivially, modify your requests to the site (including not logging you out properly when you're done, and potentially changing your login details to lock you out of your own account).



        This all depends on how worried you are about being attacked - if you're just logging into Facebook on a friends computer, you can probably trust that when you hit "Log Out", it actually logs you out. If you're logging into your bank, however, you may want to stick to devices you control.



        Additionally, consider the following, via user TemporalWolf




        Some websites allow for the generation of single-use one time passwords which sidesteps any sort of password logging... as you mentioned, this doesn't stop them from mucking with the now authenticated session.








        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited 48 mins ago









        Luc

        22.2k54096




        22.2k54096










        answered Nov 29 at 16:55









        Cowthulhu

        832217




        832217








        • 2




          "you can probably trust that when you hit "Log Out", it actually logs you out." Unless your friend unknowingly has malware on their computer.
          – Qwertie
          Nov 30 at 5:07






        • 12




          Since this is saying that someone else having control of a device ensures they will always be able to monitor actions that take place on it, it is the only correct answer.
          – forest
          Nov 30 at 7:25










        • @NotThatGuy I think if you submit an edit request?
          – Cowthulhu
          2 days ago






        • 3




          The issue with 2FA is that if indeed the attacker did have a keylogger and indeed modified the requests to the website(s) to essentially block a logout, they would then be able to change your account password/2FA settings having keylogged your password when you logged in. I don't know of any services that require 2FA to change the password once already authenticated. So that's an interesting dilemma.
          – Chris Cirefice
          2 days ago








        • 2




          "If you're entering missile launch codes however, you may want to stick to devices you control." -- aren't those pretty much a textbook example of immunity to replay attacks? You can't kick off global thermonuclear war twice.
          – Steve Jessop
          yesterday
















        • 2




          "you can probably trust that when you hit "Log Out", it actually logs you out." Unless your friend unknowingly has malware on their computer.
          – Qwertie
          Nov 30 at 5:07






        • 12




          Since this is saying that someone else having control of a device ensures they will always be able to monitor actions that take place on it, it is the only correct answer.
          – forest
          Nov 30 at 7:25










        • @NotThatGuy I think if you submit an edit request?
          – Cowthulhu
          2 days ago






        • 3




          The issue with 2FA is that if indeed the attacker did have a keylogger and indeed modified the requests to the website(s) to essentially block a logout, they would then be able to change your account password/2FA settings having keylogged your password when you logged in. I don't know of any services that require 2FA to change the password once already authenticated. So that's an interesting dilemma.
          – Chris Cirefice
          2 days ago








        • 2




          "If you're entering missile launch codes however, you may want to stick to devices you control." -- aren't those pretty much a textbook example of immunity to replay attacks? You can't kick off global thermonuclear war twice.
          – Steve Jessop
          yesterday










        2




        2




        "you can probably trust that when you hit "Log Out", it actually logs you out." Unless your friend unknowingly has malware on their computer.
        – Qwertie
        Nov 30 at 5:07




        "you can probably trust that when you hit "Log Out", it actually logs you out." Unless your friend unknowingly has malware on their computer.
        – Qwertie
        Nov 30 at 5:07




        12




        12




        Since this is saying that someone else having control of a device ensures they will always be able to monitor actions that take place on it, it is the only correct answer.
        – forest
        Nov 30 at 7:25




        Since this is saying that someone else having control of a device ensures they will always be able to monitor actions that take place on it, it is the only correct answer.
        – forest
        Nov 30 at 7:25












        @NotThatGuy I think if you submit an edit request?
        – Cowthulhu
        2 days ago




        @NotThatGuy I think if you submit an edit request?
        – Cowthulhu
        2 days ago




        3




        3




        The issue with 2FA is that if indeed the attacker did have a keylogger and indeed modified the requests to the website(s) to essentially block a logout, they would then be able to change your account password/2FA settings having keylogged your password when you logged in. I don't know of any services that require 2FA to change the password once already authenticated. So that's an interesting dilemma.
        – Chris Cirefice
        2 days ago






        The issue with 2FA is that if indeed the attacker did have a keylogger and indeed modified the requests to the website(s) to essentially block a logout, they would then be able to change your account password/2FA settings having keylogged your password when you logged in. I don't know of any services that require 2FA to change the password once already authenticated. So that's an interesting dilemma.
        – Chris Cirefice
        2 days ago






        2




        2




        "If you're entering missile launch codes however, you may want to stick to devices you control." -- aren't those pretty much a textbook example of immunity to replay attacks? You can't kick off global thermonuclear war twice.
        – Steve Jessop
        yesterday






        "If you're entering missile launch codes however, you may want to stick to devices you control." -- aren't those pretty much a textbook example of immunity to replay attacks? You can't kick off global thermonuclear war twice.
        – Steve Jessop
        yesterday














        up vote
        28
        down vote













        In my practice, when I need extra security, I usually change the password on my phone (or another trusted device), then log in on the untrusted computer and after everything is done, change my password back (if possible).



        This relies on the fact that changing password logs you out everywhere, for most websites. It's rather practical.



        Alternatively, some websites offer a "session control" where you can force detach / terminate sessions if you want.





        Besides what I said above, I also have a 128 GiB portable SSD with me, formatted to GPT and has 3 partitions: the EFI System Partition, an Ubuntu, and a Windows To Go.



        While software security wasn't my concern while creating this portable SSD, it is undoubtedly a good gadget to have for the purpose. Theoretically and practically, running operating systems on such self-made pieces of storage provides a fully trusted software environment, and can 100% eliminate any software thread on the foreign machine.



        As others have answered, such gadgets usually aren't effective against hardware-based intrusion, for example a key logger (unless some stupid ones require drivers to work, then you can LOL). For those things, you have better check them by looking at the hardware ports. If there's anything malicious inside the crate, then you're out of luck.



        But again, it's an interpersonal question. If you're logging in on your trusted friend's computer, and the friend isn't a techie, you probably need no more actions than launching the browser in incognito or InPrivate (Internet Explorer) mode.






        share|improve this answer























        • That's a good idea, which doesn't require special knowledge nor tools, and keeps things secure enough.
          – a25bedc5-3d09-41b8-82fb-ea6c353d75ae
          Nov 30 at 13:06










        • Having a portable SSD is surely a good idea, but looking from the other side, I would never let somebody boot my computer with his own OS.
          – martinstoeckli
          1 hour ago















        up vote
        28
        down vote













        In my practice, when I need extra security, I usually change the password on my phone (or another trusted device), then log in on the untrusted computer and after everything is done, change my password back (if possible).



        This relies on the fact that changing password logs you out everywhere, for most websites. It's rather practical.



        Alternatively, some websites offer a "session control" where you can force detach / terminate sessions if you want.





        Besides what I said above, I also have a 128 GiB portable SSD with me, formatted to GPT and has 3 partitions: the EFI System Partition, an Ubuntu, and a Windows To Go.



        While software security wasn't my concern while creating this portable SSD, it is undoubtedly a good gadget to have for the purpose. Theoretically and practically, running operating systems on such self-made pieces of storage provides a fully trusted software environment, and can 100% eliminate any software thread on the foreign machine.



        As others have answered, such gadgets usually aren't effective against hardware-based intrusion, for example a key logger (unless some stupid ones require drivers to work, then you can LOL). For those things, you have better check them by looking at the hardware ports. If there's anything malicious inside the crate, then you're out of luck.



        But again, it's an interpersonal question. If you're logging in on your trusted friend's computer, and the friend isn't a techie, you probably need no more actions than launching the browser in incognito or InPrivate (Internet Explorer) mode.






        share|improve this answer























        • That's a good idea, which doesn't require special knowledge nor tools, and keeps things secure enough.
          – a25bedc5-3d09-41b8-82fb-ea6c353d75ae
          Nov 30 at 13:06










        • Having a portable SSD is surely a good idea, but looking from the other side, I would never let somebody boot my computer with his own OS.
          – martinstoeckli
          1 hour ago













        up vote
        28
        down vote










        up vote
        28
        down vote









        In my practice, when I need extra security, I usually change the password on my phone (or another trusted device), then log in on the untrusted computer and after everything is done, change my password back (if possible).



        This relies on the fact that changing password logs you out everywhere, for most websites. It's rather practical.



        Alternatively, some websites offer a "session control" where you can force detach / terminate sessions if you want.





        Besides what I said above, I also have a 128 GiB portable SSD with me, formatted to GPT and has 3 partitions: the EFI System Partition, an Ubuntu, and a Windows To Go.



        While software security wasn't my concern while creating this portable SSD, it is undoubtedly a good gadget to have for the purpose. Theoretically and practically, running operating systems on such self-made pieces of storage provides a fully trusted software environment, and can 100% eliminate any software thread on the foreign machine.



        As others have answered, such gadgets usually aren't effective against hardware-based intrusion, for example a key logger (unless some stupid ones require drivers to work, then you can LOL). For those things, you have better check them by looking at the hardware ports. If there's anything malicious inside the crate, then you're out of luck.



        But again, it's an interpersonal question. If you're logging in on your trusted friend's computer, and the friend isn't a techie, you probably need no more actions than launching the browser in incognito or InPrivate (Internet Explorer) mode.






        share|improve this answer














        In my practice, when I need extra security, I usually change the password on my phone (or another trusted device), then log in on the untrusted computer and after everything is done, change my password back (if possible).



        This relies on the fact that changing password logs you out everywhere, for most websites. It's rather practical.



        Alternatively, some websites offer a "session control" where you can force detach / terminate sessions if you want.





        Besides what I said above, I also have a 128 GiB portable SSD with me, formatted to GPT and has 3 partitions: the EFI System Partition, an Ubuntu, and a Windows To Go.



        While software security wasn't my concern while creating this portable SSD, it is undoubtedly a good gadget to have for the purpose. Theoretically and practically, running operating systems on such self-made pieces of storage provides a fully trusted software environment, and can 100% eliminate any software thread on the foreign machine.



        As others have answered, such gadgets usually aren't effective against hardware-based intrusion, for example a key logger (unless some stupid ones require drivers to work, then you can LOL). For those things, you have better check them by looking at the hardware ports. If there's anything malicious inside the crate, then you're out of luck.



        But again, it's an interpersonal question. If you're logging in on your trusted friend's computer, and the friend isn't a techie, you probably need no more actions than launching the browser in incognito or InPrivate (Internet Explorer) mode.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited 3 hours ago

























        answered Nov 30 at 3:28









        iBug

        45018




        45018












        • That's a good idea, which doesn't require special knowledge nor tools, and keeps things secure enough.
          – a25bedc5-3d09-41b8-82fb-ea6c353d75ae
          Nov 30 at 13:06










        • Having a portable SSD is surely a good idea, but looking from the other side, I would never let somebody boot my computer with his own OS.
          – martinstoeckli
          1 hour ago


















        • That's a good idea, which doesn't require special knowledge nor tools, and keeps things secure enough.
          – a25bedc5-3d09-41b8-82fb-ea6c353d75ae
          Nov 30 at 13:06










        • Having a portable SSD is surely a good idea, but looking from the other side, I would never let somebody boot my computer with his own OS.
          – martinstoeckli
          1 hour ago
















        That's a good idea, which doesn't require special knowledge nor tools, and keeps things secure enough.
        – a25bedc5-3d09-41b8-82fb-ea6c353d75ae
        Nov 30 at 13:06




        That's a good idea, which doesn't require special knowledge nor tools, and keeps things secure enough.
        – a25bedc5-3d09-41b8-82fb-ea6c353d75ae
        Nov 30 at 13:06












        Having a portable SSD is surely a good idea, but looking from the other side, I would never let somebody boot my computer with his own OS.
        – martinstoeckli
        1 hour ago




        Having a portable SSD is surely a good idea, but looking from the other side, I would never let somebody boot my computer with his own OS.
        – martinstoeckli
        1 hour ago










        up vote
        16
        down vote













        Use SQRL



        If a website supports SQRL (https://www.grc.com/sqrl/sqrl.htm) then you have the option of having it display a QR code in the computer's browser that you let the SQRL app in your cell phone read, and thereby negotiate the authentication out of band.



        SQRL is not yet widely adopted, but this precise use case was designed in from the beginning. (The other main use case is a SQRL app on your computer working in concert with the browser). In neither case is a password transmitted; SQRL uses Elliptic Curve public/private key technology to sign a nonce presented by the server to prove the user has the private key associated with the public key stored on the server in the user's account info.






        share|improve this answer





















        • It's a very interesting method! I was not aware of it at all. Thanks for mentioning it.
          – today
          Nov 29 at 21:54






        • 3




          The concept is definitely interesting, although it may need some (more) peer review and usability testing in practice. Anyway, this solution is not practical today, and the author of the question seemed to ask mainly as a user and not as a developer. Try using this method with Google, Amazon or Facebook today.
          – caw
          Nov 30 at 1:28










        • Unfortunately, the question doesn't specify what "my account" means - on your own website? On Facebook? That's a difference because in one you control the login mechanism and on the other you don't.
          – Tom
          Nov 30 at 5:10






        • 18




          security.blogoverflow.com/2013/10/debunking-sqrl - A well designed solution such as U2F is probably better than what Steve Gibson (which is largely a crank) managed to sting together by himself.
          – vidarlo
          Nov 30 at 6:41












        • What about something like the WhatsApp Desktop App, where you login by scanning a QR code and can log out from your smartphone?
          – pytago
          Nov 30 at 10:47















        up vote
        16
        down vote













        Use SQRL



        If a website supports SQRL (https://www.grc.com/sqrl/sqrl.htm) then you have the option of having it display a QR code in the computer's browser that you let the SQRL app in your cell phone read, and thereby negotiate the authentication out of band.



        SQRL is not yet widely adopted, but this precise use case was designed in from the beginning. (The other main use case is a SQRL app on your computer working in concert with the browser). In neither case is a password transmitted; SQRL uses Elliptic Curve public/private key technology to sign a nonce presented by the server to prove the user has the private key associated with the public key stored on the server in the user's account info.






        share|improve this answer





















        • It's a very interesting method! I was not aware of it at all. Thanks for mentioning it.
          – today
          Nov 29 at 21:54






        • 3




          The concept is definitely interesting, although it may need some (more) peer review and usability testing in practice. Anyway, this solution is not practical today, and the author of the question seemed to ask mainly as a user and not as a developer. Try using this method with Google, Amazon or Facebook today.
          – caw
          Nov 30 at 1:28










        • Unfortunately, the question doesn't specify what "my account" means - on your own website? On Facebook? That's a difference because in one you control the login mechanism and on the other you don't.
          – Tom
          Nov 30 at 5:10






        • 18




          security.blogoverflow.com/2013/10/debunking-sqrl - A well designed solution such as U2F is probably better than what Steve Gibson (which is largely a crank) managed to sting together by himself.
          – vidarlo
          Nov 30 at 6:41












        • What about something like the WhatsApp Desktop App, where you login by scanning a QR code and can log out from your smartphone?
          – pytago
          Nov 30 at 10:47













        up vote
        16
        down vote










        up vote
        16
        down vote









        Use SQRL



        If a website supports SQRL (https://www.grc.com/sqrl/sqrl.htm) then you have the option of having it display a QR code in the computer's browser that you let the SQRL app in your cell phone read, and thereby negotiate the authentication out of band.



        SQRL is not yet widely adopted, but this precise use case was designed in from the beginning. (The other main use case is a SQRL app on your computer working in concert with the browser). In neither case is a password transmitted; SQRL uses Elliptic Curve public/private key technology to sign a nonce presented by the server to prove the user has the private key associated with the public key stored on the server in the user's account info.






        share|improve this answer












        Use SQRL



        If a website supports SQRL (https://www.grc.com/sqrl/sqrl.htm) then you have the option of having it display a QR code in the computer's browser that you let the SQRL app in your cell phone read, and thereby negotiate the authentication out of band.



        SQRL is not yet widely adopted, but this precise use case was designed in from the beginning. (The other main use case is a SQRL app on your computer working in concert with the browser). In neither case is a password transmitted; SQRL uses Elliptic Curve public/private key technology to sign a nonce presented by the server to prove the user has the private key associated with the public key stored on the server in the user's account info.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 29 at 21:40









        Monty Harder

        46636




        46636












        • It's a very interesting method! I was not aware of it at all. Thanks for mentioning it.
          – today
          Nov 29 at 21:54






        • 3




          The concept is definitely interesting, although it may need some (more) peer review and usability testing in practice. Anyway, this solution is not practical today, and the author of the question seemed to ask mainly as a user and not as a developer. Try using this method with Google, Amazon or Facebook today.
          – caw
          Nov 30 at 1:28










        • Unfortunately, the question doesn't specify what "my account" means - on your own website? On Facebook? That's a difference because in one you control the login mechanism and on the other you don't.
          – Tom
          Nov 30 at 5:10






        • 18




          security.blogoverflow.com/2013/10/debunking-sqrl - A well designed solution such as U2F is probably better than what Steve Gibson (which is largely a crank) managed to sting together by himself.
          – vidarlo
          Nov 30 at 6:41












        • What about something like the WhatsApp Desktop App, where you login by scanning a QR code and can log out from your smartphone?
          – pytago
          Nov 30 at 10:47


















        • It's a very interesting method! I was not aware of it at all. Thanks for mentioning it.
          – today
          Nov 29 at 21:54






        • 3




          The concept is definitely interesting, although it may need some (more) peer review and usability testing in practice. Anyway, this solution is not practical today, and the author of the question seemed to ask mainly as a user and not as a developer. Try using this method with Google, Amazon or Facebook today.
          – caw
          Nov 30 at 1:28










        • Unfortunately, the question doesn't specify what "my account" means - on your own website? On Facebook? That's a difference because in one you control the login mechanism and on the other you don't.
          – Tom
          Nov 30 at 5:10






        • 18




          security.blogoverflow.com/2013/10/debunking-sqrl - A well designed solution such as U2F is probably better than what Steve Gibson (which is largely a crank) managed to sting together by himself.
          – vidarlo
          Nov 30 at 6:41












        • What about something like the WhatsApp Desktop App, where you login by scanning a QR code and can log out from your smartphone?
          – pytago
          Nov 30 at 10:47
















        It's a very interesting method! I was not aware of it at all. Thanks for mentioning it.
        – today
        Nov 29 at 21:54




        It's a very interesting method! I was not aware of it at all. Thanks for mentioning it.
        – today
        Nov 29 at 21:54




        3




        3




        The concept is definitely interesting, although it may need some (more) peer review and usability testing in practice. Anyway, this solution is not practical today, and the author of the question seemed to ask mainly as a user and not as a developer. Try using this method with Google, Amazon or Facebook today.
        – caw
        Nov 30 at 1:28




        The concept is definitely interesting, although it may need some (more) peer review and usability testing in practice. Anyway, this solution is not practical today, and the author of the question seemed to ask mainly as a user and not as a developer. Try using this method with Google, Amazon or Facebook today.
        – caw
        Nov 30 at 1:28












        Unfortunately, the question doesn't specify what "my account" means - on your own website? On Facebook? That's a difference because in one you control the login mechanism and on the other you don't.
        – Tom
        Nov 30 at 5:10




        Unfortunately, the question doesn't specify what "my account" means - on your own website? On Facebook? That's a difference because in one you control the login mechanism and on the other you don't.
        – Tom
        Nov 30 at 5:10




        18




        18




        security.blogoverflow.com/2013/10/debunking-sqrl - A well designed solution such as U2F is probably better than what Steve Gibson (which is largely a crank) managed to sting together by himself.
        – vidarlo
        Nov 30 at 6:41






        security.blogoverflow.com/2013/10/debunking-sqrl - A well designed solution such as U2F is probably better than what Steve Gibson (which is largely a crank) managed to sting together by himself.
        – vidarlo
        Nov 30 at 6:41














        What about something like the WhatsApp Desktop App, where you login by scanning a QR code and can log out from your smartphone?
        – pytago
        Nov 30 at 10:47




        What about something like the WhatsApp Desktop App, where you login by scanning a QR code and can log out from your smartphone?
        – pytago
        Nov 30 at 10:47










        up vote
        13
        down vote













        If you encounter this situation regularly, try the following:




        1. Create a Tails live USB stick. Tails is a Linux operating system designed to run off a USB, which can be booted on most computers. Using Tails means that you don't need to worry about any software that the hostile computer may have installed. Because you are completely bypassing it from boot.


        2. Use the on-screen keyboard. You should cover this with your hand as you type, to prevent anyone from observing. This defends against hardware based key-loggers. Note that you don't need to worry about screen-recording software, because you are running Tails, which means that you have full control over all software running on the system.



        Edit:



        As @Xen2050 mentioned in the comments, you can also achieve this with other operating systems which may be more user friendly. For instance, here are instructions for creating a live Ubuntu Linux USB on Windows, Mac or Ubuntu. And here are the instructions for accessing the on-screen keyboard on Ubuntu.



        Potential weaknesses of this method:



        This method is vulnerable to the following:




        • Hardware based screen recording. It is possible to insert a device between the computer and the screen which will record everything sent to the screen. For example, this one. To protect against this, inspect the cable, and make sure there are no devices between the computer and the screen. Note however, that it is possible to install internal screen recording devices which would be much more difficult to detect. If you suspect this, then you may be able to circumvent them by unplugging the screen from the back of the computer, and reconnecting it to a different port.

        • Malicious firmware, BIOS, rootkit, etc. This is probably the most difficult vulnerability to defend against. If you suspect that the computer you are using has malicious firmware, don't use it! Find another way to login to the website, or don't login to it.






        share|improve this answer










        New contributor




        daviewales is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.














        • 3




          For unknown hardware, and since you don't seem to need the network properties of TAILS, using a more friendly and bootable distro like Mint or Ubuntu or other beginner-friendly one might be a lot more successful; TAILS might not have nearly as much luck booting on "new" unknown devices
          – Xen2050
          Nov 30 at 11:41












        • @Xen2050 Windows To Go is also a good alternative!
          – iBug
          Nov 30 at 13:19










        • Good point @Xen2050
          – daviewales
          2 days ago










        • Under Hardware based recording, you could actually mention a hardware based keystroke logger that may be embedded in keyboard itself. This seems more likely if the person who owns the computer is trying to steal the OP's passwords.
          – Private
          2 days ago






        • 1




          "Using the on-screen keyboard defends against hardware based key-loggers" - unless they include a mouse logger (for click coordinates etc) :-)
          – Bergi
          23 hours ago















        up vote
        13
        down vote













        If you encounter this situation regularly, try the following:




        1. Create a Tails live USB stick. Tails is a Linux operating system designed to run off a USB, which can be booted on most computers. Using Tails means that you don't need to worry about any software that the hostile computer may have installed. Because you are completely bypassing it from boot.


        2. Use the on-screen keyboard. You should cover this with your hand as you type, to prevent anyone from observing. This defends against hardware based key-loggers. Note that you don't need to worry about screen-recording software, because you are running Tails, which means that you have full control over all software running on the system.



        Edit:



        As @Xen2050 mentioned in the comments, you can also achieve this with other operating systems which may be more user friendly. For instance, here are instructions for creating a live Ubuntu Linux USB on Windows, Mac or Ubuntu. And here are the instructions for accessing the on-screen keyboard on Ubuntu.



        Potential weaknesses of this method:



        This method is vulnerable to the following:




        • Hardware based screen recording. It is possible to insert a device between the computer and the screen which will record everything sent to the screen. For example, this one. To protect against this, inspect the cable, and make sure there are no devices between the computer and the screen. Note however, that it is possible to install internal screen recording devices which would be much more difficult to detect. If you suspect this, then you may be able to circumvent them by unplugging the screen from the back of the computer, and reconnecting it to a different port.

        • Malicious firmware, BIOS, rootkit, etc. This is probably the most difficult vulnerability to defend against. If you suspect that the computer you are using has malicious firmware, don't use it! Find another way to login to the website, or don't login to it.






        share|improve this answer










        New contributor




        daviewales is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.














        • 3




          For unknown hardware, and since you don't seem to need the network properties of TAILS, using a more friendly and bootable distro like Mint or Ubuntu or other beginner-friendly one might be a lot more successful; TAILS might not have nearly as much luck booting on "new" unknown devices
          – Xen2050
          Nov 30 at 11:41












        • @Xen2050 Windows To Go is also a good alternative!
          – iBug
          Nov 30 at 13:19










        • Good point @Xen2050
          – daviewales
          2 days ago










        • Under Hardware based recording, you could actually mention a hardware based keystroke logger that may be embedded in keyboard itself. This seems more likely if the person who owns the computer is trying to steal the OP's passwords.
          – Private
          2 days ago






        • 1




          "Using the on-screen keyboard defends against hardware based key-loggers" - unless they include a mouse logger (for click coordinates etc) :-)
          – Bergi
          23 hours ago













        up vote
        13
        down vote










        up vote
        13
        down vote









        If you encounter this situation regularly, try the following:




        1. Create a Tails live USB stick. Tails is a Linux operating system designed to run off a USB, which can be booted on most computers. Using Tails means that you don't need to worry about any software that the hostile computer may have installed. Because you are completely bypassing it from boot.


        2. Use the on-screen keyboard. You should cover this with your hand as you type, to prevent anyone from observing. This defends against hardware based key-loggers. Note that you don't need to worry about screen-recording software, because you are running Tails, which means that you have full control over all software running on the system.



        Edit:



        As @Xen2050 mentioned in the comments, you can also achieve this with other operating systems which may be more user friendly. For instance, here are instructions for creating a live Ubuntu Linux USB on Windows, Mac or Ubuntu. And here are the instructions for accessing the on-screen keyboard on Ubuntu.



        Potential weaknesses of this method:



        This method is vulnerable to the following:




        • Hardware based screen recording. It is possible to insert a device between the computer and the screen which will record everything sent to the screen. For example, this one. To protect against this, inspect the cable, and make sure there are no devices between the computer and the screen. Note however, that it is possible to install internal screen recording devices which would be much more difficult to detect. If you suspect this, then you may be able to circumvent them by unplugging the screen from the back of the computer, and reconnecting it to a different port.

        • Malicious firmware, BIOS, rootkit, etc. This is probably the most difficult vulnerability to defend against. If you suspect that the computer you are using has malicious firmware, don't use it! Find another way to login to the website, or don't login to it.






        share|improve this answer










        New contributor




        daviewales is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        If you encounter this situation regularly, try the following:




        1. Create a Tails live USB stick. Tails is a Linux operating system designed to run off a USB, which can be booted on most computers. Using Tails means that you don't need to worry about any software that the hostile computer may have installed. Because you are completely bypassing it from boot.


        2. Use the on-screen keyboard. You should cover this with your hand as you type, to prevent anyone from observing. This defends against hardware based key-loggers. Note that you don't need to worry about screen-recording software, because you are running Tails, which means that you have full control over all software running on the system.



        Edit:



        As @Xen2050 mentioned in the comments, you can also achieve this with other operating systems which may be more user friendly. For instance, here are instructions for creating a live Ubuntu Linux USB on Windows, Mac or Ubuntu. And here are the instructions for accessing the on-screen keyboard on Ubuntu.



        Potential weaknesses of this method:



        This method is vulnerable to the following:




        • Hardware based screen recording. It is possible to insert a device between the computer and the screen which will record everything sent to the screen. For example, this one. To protect against this, inspect the cable, and make sure there are no devices between the computer and the screen. Note however, that it is possible to install internal screen recording devices which would be much more difficult to detect. If you suspect this, then you may be able to circumvent them by unplugging the screen from the back of the computer, and reconnecting it to a different port.

        • Malicious firmware, BIOS, rootkit, etc. This is probably the most difficult vulnerability to defend against. If you suspect that the computer you are using has malicious firmware, don't use it! Find another way to login to the website, or don't login to it.







        share|improve this answer










        New contributor




        daviewales is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        share|improve this answer



        share|improve this answer








        edited 2 days ago





















        New contributor




        daviewales is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        answered Nov 30 at 7:00









        daviewales

        23317




        23317




        New contributor




        daviewales is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.





        New contributor





        daviewales is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






        daviewales is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.








        • 3




          For unknown hardware, and since you don't seem to need the network properties of TAILS, using a more friendly and bootable distro like Mint or Ubuntu or other beginner-friendly one might be a lot more successful; TAILS might not have nearly as much luck booting on "new" unknown devices
          – Xen2050
          Nov 30 at 11:41












        • @Xen2050 Windows To Go is also a good alternative!
          – iBug
          Nov 30 at 13:19










        • Good point @Xen2050
          – daviewales
          2 days ago










        • Under Hardware based recording, you could actually mention a hardware based keystroke logger that may be embedded in keyboard itself. This seems more likely if the person who owns the computer is trying to steal the OP's passwords.
          – Private
          2 days ago






        • 1




          "Using the on-screen keyboard defends against hardware based key-loggers" - unless they include a mouse logger (for click coordinates etc) :-)
          – Bergi
          23 hours ago














        • 3




          For unknown hardware, and since you don't seem to need the network properties of TAILS, using a more friendly and bootable distro like Mint or Ubuntu or other beginner-friendly one might be a lot more successful; TAILS might not have nearly as much luck booting on "new" unknown devices
          – Xen2050
          Nov 30 at 11:41












        • @Xen2050 Windows To Go is also a good alternative!
          – iBug
          Nov 30 at 13:19










        • Good point @Xen2050
          – daviewales
          2 days ago










        • Under Hardware based recording, you could actually mention a hardware based keystroke logger that may be embedded in keyboard itself. This seems more likely if the person who owns the computer is trying to steal the OP's passwords.
          – Private
          2 days ago






        • 1




          "Using the on-screen keyboard defends against hardware based key-loggers" - unless they include a mouse logger (for click coordinates etc) :-)
          – Bergi
          23 hours ago








        3




        3




        For unknown hardware, and since you don't seem to need the network properties of TAILS, using a more friendly and bootable distro like Mint or Ubuntu or other beginner-friendly one might be a lot more successful; TAILS might not have nearly as much luck booting on "new" unknown devices
        – Xen2050
        Nov 30 at 11:41






        For unknown hardware, and since you don't seem to need the network properties of TAILS, using a more friendly and bootable distro like Mint or Ubuntu or other beginner-friendly one might be a lot more successful; TAILS might not have nearly as much luck booting on "new" unknown devices
        – Xen2050
        Nov 30 at 11:41














        @Xen2050 Windows To Go is also a good alternative!
        – iBug
        Nov 30 at 13:19




        @Xen2050 Windows To Go is also a good alternative!
        – iBug
        Nov 30 at 13:19












        Good point @Xen2050
        – daviewales
        2 days ago




        Good point @Xen2050
        – daviewales
        2 days ago












        Under Hardware based recording, you could actually mention a hardware based keystroke logger that may be embedded in keyboard itself. This seems more likely if the person who owns the computer is trying to steal the OP's passwords.
        – Private
        2 days ago




        Under Hardware based recording, you could actually mention a hardware based keystroke logger that may be embedded in keyboard itself. This seems more likely if the person who owns the computer is trying to steal the OP's passwords.
        – Private
        2 days ago




        1




        1




        "Using the on-screen keyboard defends against hardware based key-loggers" - unless they include a mouse logger (for click coordinates etc) :-)
        – Bergi
        23 hours ago




        "Using the on-screen keyboard defends against hardware based key-loggers" - unless they include a mouse logger (for click coordinates etc) :-)
        – Bergi
        23 hours ago










        up vote
        5
        down vote













        There is one thing you can do on sites that allow it (Google being one): Use a "have" factor of authentication, such as TOTP or a mobile app to approve logins. You don't have to use 2FA - that can be your only factor. I have some of my non-critical servers set to allow password OR totp, so I can log in with one or the other, without needing both. While, as others pointed out, that doesn't make you completely secure (after you log in the attacker could disable input and do whatever they want now that you're logged in), it prevents disclosing any passwords.






        share|improve this answer

























          up vote
          5
          down vote













          There is one thing you can do on sites that allow it (Google being one): Use a "have" factor of authentication, such as TOTP or a mobile app to approve logins. You don't have to use 2FA - that can be your only factor. I have some of my non-critical servers set to allow password OR totp, so I can log in with one or the other, without needing both. While, as others pointed out, that doesn't make you completely secure (after you log in the attacker could disable input and do whatever they want now that you're logged in), it prevents disclosing any passwords.






          share|improve this answer























            up vote
            5
            down vote










            up vote
            5
            down vote









            There is one thing you can do on sites that allow it (Google being one): Use a "have" factor of authentication, such as TOTP or a mobile app to approve logins. You don't have to use 2FA - that can be your only factor. I have some of my non-critical servers set to allow password OR totp, so I can log in with one or the other, without needing both. While, as others pointed out, that doesn't make you completely secure (after you log in the attacker could disable input and do whatever they want now that you're logged in), it prevents disclosing any passwords.






            share|improve this answer












            There is one thing you can do on sites that allow it (Google being one): Use a "have" factor of authentication, such as TOTP or a mobile app to approve logins. You don't have to use 2FA - that can be your only factor. I have some of my non-critical servers set to allow password OR totp, so I can log in with one or the other, without needing both. While, as others pointed out, that doesn't make you completely secure (after you log in the attacker could disable input and do whatever they want now that you're logged in), it prevents disclosing any passwords.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Nov 29 at 20:26









            Duncan X Simpson

            230210




            230210






















                up vote
                4
                down vote













                It is a major PIA, but relatively secure with respect to protecting your password. Mostly because it is such a PIA that nobody is likely to put together what is needed to capture it. Which means the caveat about security through obscurity likely applies here...




                1. Open text editor of choice.

                2. Type out the full alphabet in both upper and lower case.

                3. type out the full range of numbers and symbols that are available.

                4. Copy and paste letter by letter to enter your password on the web form.

                5. As an added layer of obfuscation, don't grab the letters in the same order as the final password


                I can think of a few techniques where I might be able to capture the password of someone using this technique, but none of them are what I would consider easy or straightforward.



                Also worth noting that this technique was originally suggested as a counter measure by my CEH instructor. It is not perfect, but it is a semi-decent option that doesn't require much in the way of prior preparation.






                share|improve this answer








                New contributor




                Rozwel is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.














                • 16




                  Surely an off-the-shelf screen recorder would counter this?
                  – Draconis
                  Nov 29 at 20:20










                • Interesting solution, especially that I see it was recommended by your CEH instructor! Actually, I was thinking about such a solution before you post this but then I thought maybe it is a bit weird! Of course, as @Draconis mentioned, an screen recorder might be able to counter this as well.
                  – today
                  Nov 29 at 20:40






                • 3




                  @Draconis probably, hadn't considered that option but high chance it would work. I had my doubts when this was suggested by the instructor, but it is better than nothing, and does protect against most keystroke loggers. But if I were wanting to capture someone's login credentials for a web site I would use a browser extension or proxy to log the post data. Making all of this worthless...
                  – Rozwel
                  Nov 29 at 20:44








                • 5




                  A clipboard logger would work very well up until step 5. Most packaged malware I've seen includes a clipboard logger with keylogger.
                  – Nathan Goings
                  Nov 29 at 21:39






                • 1




                  @NathanGoings It's not like there would be that many permutations. Checking every combination one by one seems trivial.
                  – JoL
                  Nov 29 at 21:43















                up vote
                4
                down vote













                It is a major PIA, but relatively secure with respect to protecting your password. Mostly because it is such a PIA that nobody is likely to put together what is needed to capture it. Which means the caveat about security through obscurity likely applies here...




                1. Open text editor of choice.

                2. Type out the full alphabet in both upper and lower case.

                3. type out the full range of numbers and symbols that are available.

                4. Copy and paste letter by letter to enter your password on the web form.

                5. As an added layer of obfuscation, don't grab the letters in the same order as the final password


                I can think of a few techniques where I might be able to capture the password of someone using this technique, but none of them are what I would consider easy or straightforward.



                Also worth noting that this technique was originally suggested as a counter measure by my CEH instructor. It is not perfect, but it is a semi-decent option that doesn't require much in the way of prior preparation.






                share|improve this answer








                New contributor




                Rozwel is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.














                • 16




                  Surely an off-the-shelf screen recorder would counter this?
                  – Draconis
                  Nov 29 at 20:20










                • Interesting solution, especially that I see it was recommended by your CEH instructor! Actually, I was thinking about such a solution before you post this but then I thought maybe it is a bit weird! Of course, as @Draconis mentioned, an screen recorder might be able to counter this as well.
                  – today
                  Nov 29 at 20:40






                • 3




                  @Draconis probably, hadn't considered that option but high chance it would work. I had my doubts when this was suggested by the instructor, but it is better than nothing, and does protect against most keystroke loggers. But if I were wanting to capture someone's login credentials for a web site I would use a browser extension or proxy to log the post data. Making all of this worthless...
                  – Rozwel
                  Nov 29 at 20:44








                • 5




                  A clipboard logger would work very well up until step 5. Most packaged malware I've seen includes a clipboard logger with keylogger.
                  – Nathan Goings
                  Nov 29 at 21:39






                • 1




                  @NathanGoings It's not like there would be that many permutations. Checking every combination one by one seems trivial.
                  – JoL
                  Nov 29 at 21:43













                up vote
                4
                down vote










                up vote
                4
                down vote









                It is a major PIA, but relatively secure with respect to protecting your password. Mostly because it is such a PIA that nobody is likely to put together what is needed to capture it. Which means the caveat about security through obscurity likely applies here...




                1. Open text editor of choice.

                2. Type out the full alphabet in both upper and lower case.

                3. type out the full range of numbers and symbols that are available.

                4. Copy and paste letter by letter to enter your password on the web form.

                5. As an added layer of obfuscation, don't grab the letters in the same order as the final password


                I can think of a few techniques where I might be able to capture the password of someone using this technique, but none of them are what I would consider easy or straightforward.



                Also worth noting that this technique was originally suggested as a counter measure by my CEH instructor. It is not perfect, but it is a semi-decent option that doesn't require much in the way of prior preparation.






                share|improve this answer








                New contributor




                Rozwel is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.









                It is a major PIA, but relatively secure with respect to protecting your password. Mostly because it is such a PIA that nobody is likely to put together what is needed to capture it. Which means the caveat about security through obscurity likely applies here...




                1. Open text editor of choice.

                2. Type out the full alphabet in both upper and lower case.

                3. type out the full range of numbers and symbols that are available.

                4. Copy and paste letter by letter to enter your password on the web form.

                5. As an added layer of obfuscation, don't grab the letters in the same order as the final password


                I can think of a few techniques where I might be able to capture the password of someone using this technique, but none of them are what I would consider easy or straightforward.



                Also worth noting that this technique was originally suggested as a counter measure by my CEH instructor. It is not perfect, but it is a semi-decent option that doesn't require much in the way of prior preparation.







                share|improve this answer








                New contributor




                Rozwel is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.









                share|improve this answer



                share|improve this answer






                New contributor




                Rozwel is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.









                answered Nov 29 at 20:15









                Rozwel

                1732




                1732




                New contributor




                Rozwel is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.





                New contributor





                Rozwel is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.






                Rozwel is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.








                • 16




                  Surely an off-the-shelf screen recorder would counter this?
                  – Draconis
                  Nov 29 at 20:20










                • Interesting solution, especially that I see it was recommended by your CEH instructor! Actually, I was thinking about such a solution before you post this but then I thought maybe it is a bit weird! Of course, as @Draconis mentioned, an screen recorder might be able to counter this as well.
                  – today
                  Nov 29 at 20:40






                • 3




                  @Draconis probably, hadn't considered that option but high chance it would work. I had my doubts when this was suggested by the instructor, but it is better than nothing, and does protect against most keystroke loggers. But if I were wanting to capture someone's login credentials for a web site I would use a browser extension or proxy to log the post data. Making all of this worthless...
                  – Rozwel
                  Nov 29 at 20:44








                • 5




                  A clipboard logger would work very well up until step 5. Most packaged malware I've seen includes a clipboard logger with keylogger.
                  – Nathan Goings
                  Nov 29 at 21:39






                • 1




                  @NathanGoings It's not like there would be that many permutations. Checking every combination one by one seems trivial.
                  – JoL
                  Nov 29 at 21:43














                • 16




                  Surely an off-the-shelf screen recorder would counter this?
                  – Draconis
                  Nov 29 at 20:20










                • Interesting solution, especially that I see it was recommended by your CEH instructor! Actually, I was thinking about such a solution before you post this but then I thought maybe it is a bit weird! Of course, as @Draconis mentioned, an screen recorder might be able to counter this as well.
                  – today
                  Nov 29 at 20:40






                • 3




                  @Draconis probably, hadn't considered that option but high chance it would work. I had my doubts when this was suggested by the instructor, but it is better than nothing, and does protect against most keystroke loggers. But if I were wanting to capture someone's login credentials for a web site I would use a browser extension or proxy to log the post data. Making all of this worthless...
                  – Rozwel
                  Nov 29 at 20:44








                • 5




                  A clipboard logger would work very well up until step 5. Most packaged malware I've seen includes a clipboard logger with keylogger.
                  – Nathan Goings
                  Nov 29 at 21:39






                • 1




                  @NathanGoings It's not like there would be that many permutations. Checking every combination one by one seems trivial.
                  – JoL
                  Nov 29 at 21:43








                16




                16




                Surely an off-the-shelf screen recorder would counter this?
                – Draconis
                Nov 29 at 20:20




                Surely an off-the-shelf screen recorder would counter this?
                – Draconis
                Nov 29 at 20:20












                Interesting solution, especially that I see it was recommended by your CEH instructor! Actually, I was thinking about such a solution before you post this but then I thought maybe it is a bit weird! Of course, as @Draconis mentioned, an screen recorder might be able to counter this as well.
                – today
                Nov 29 at 20:40




                Interesting solution, especially that I see it was recommended by your CEH instructor! Actually, I was thinking about such a solution before you post this but then I thought maybe it is a bit weird! Of course, as @Draconis mentioned, an screen recorder might be able to counter this as well.
                – today
                Nov 29 at 20:40




                3




                3




                @Draconis probably, hadn't considered that option but high chance it would work. I had my doubts when this was suggested by the instructor, but it is better than nothing, and does protect against most keystroke loggers. But if I were wanting to capture someone's login credentials for a web site I would use a browser extension or proxy to log the post data. Making all of this worthless...
                – Rozwel
                Nov 29 at 20:44






                @Draconis probably, hadn't considered that option but high chance it would work. I had my doubts when this was suggested by the instructor, but it is better than nothing, and does protect against most keystroke loggers. But if I were wanting to capture someone's login credentials for a web site I would use a browser extension or proxy to log the post data. Making all of this worthless...
                – Rozwel
                Nov 29 at 20:44






                5




                5




                A clipboard logger would work very well up until step 5. Most packaged malware I've seen includes a clipboard logger with keylogger.
                – Nathan Goings
                Nov 29 at 21:39




                A clipboard logger would work very well up until step 5. Most packaged malware I've seen includes a clipboard logger with keylogger.
                – Nathan Goings
                Nov 29 at 21:39




                1




                1




                @NathanGoings It's not like there would be that many permutations. Checking every combination one by one seems trivial.
                – JoL
                Nov 29 at 21:43




                @NathanGoings It's not like there would be that many permutations. Checking every combination one by one seems trivial.
                – JoL
                Nov 29 at 21:43










                up vote
                3
                down vote













                The best way to protect yourself is to tell the person that you are not comfortable entering your password at their computer.



                If you have probable cause or general paranoia then do not perform unsafe actions.



                Expecting to thoroughly detect and/or mitigate all threat models in a matter of seconds is ludicrous.





                What is the threat model anyways? Do you not trust the person? Do you not trust the computer? Are you trying to prevent their access from the particular website which you are logging in to? Are you trying to prevent the discovery of your password because you use it for a hundred other services such as personal banking? Are you simply trying to figure out a universal way to not be compromised regardless of which foreign computer you encounter in the future? Are you trying to prevent the details of the post-login screen from being recorded? You may wish to sweep the area for any hidden video recording devices in the ceiling.






                share|improve this answer























                • I think the OP is worrying about foreign immigration officers asking him to show his social media
                  – usr-local-ΕΨΗΕΛΩΝ
                  5 hours ago















                up vote
                3
                down vote













                The best way to protect yourself is to tell the person that you are not comfortable entering your password at their computer.



                If you have probable cause or general paranoia then do not perform unsafe actions.



                Expecting to thoroughly detect and/or mitigate all threat models in a matter of seconds is ludicrous.





                What is the threat model anyways? Do you not trust the person? Do you not trust the computer? Are you trying to prevent their access from the particular website which you are logging in to? Are you trying to prevent the discovery of your password because you use it for a hundred other services such as personal banking? Are you simply trying to figure out a universal way to not be compromised regardless of which foreign computer you encounter in the future? Are you trying to prevent the details of the post-login screen from being recorded? You may wish to sweep the area for any hidden video recording devices in the ceiling.






                share|improve this answer























                • I think the OP is worrying about foreign immigration officers asking him to show his social media
                  – usr-local-ΕΨΗΕΛΩΝ
                  5 hours ago













                up vote
                3
                down vote










                up vote
                3
                down vote









                The best way to protect yourself is to tell the person that you are not comfortable entering your password at their computer.



                If you have probable cause or general paranoia then do not perform unsafe actions.



                Expecting to thoroughly detect and/or mitigate all threat models in a matter of seconds is ludicrous.





                What is the threat model anyways? Do you not trust the person? Do you not trust the computer? Are you trying to prevent their access from the particular website which you are logging in to? Are you trying to prevent the discovery of your password because you use it for a hundred other services such as personal banking? Are you simply trying to figure out a universal way to not be compromised regardless of which foreign computer you encounter in the future? Are you trying to prevent the details of the post-login screen from being recorded? You may wish to sweep the area for any hidden video recording devices in the ceiling.






                share|improve this answer














                The best way to protect yourself is to tell the person that you are not comfortable entering your password at their computer.



                If you have probable cause or general paranoia then do not perform unsafe actions.



                Expecting to thoroughly detect and/or mitigate all threat models in a matter of seconds is ludicrous.





                What is the threat model anyways? Do you not trust the person? Do you not trust the computer? Are you trying to prevent their access from the particular website which you are logging in to? Are you trying to prevent the discovery of your password because you use it for a hundred other services such as personal banking? Are you simply trying to figure out a universal way to not be compromised regardless of which foreign computer you encounter in the future? Are you trying to prevent the details of the post-login screen from being recorded? You may wish to sweep the area for any hidden video recording devices in the ceiling.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited 2 days ago

























                answered 2 days ago









                MonkeyZeus

                278210




                278210












                • I think the OP is worrying about foreign immigration officers asking him to show his social media
                  – usr-local-ΕΨΗΕΛΩΝ
                  5 hours ago


















                • I think the OP is worrying about foreign immigration officers asking him to show his social media
                  – usr-local-ΕΨΗΕΛΩΝ
                  5 hours ago
















                I think the OP is worrying about foreign immigration officers asking him to show his social media
                – usr-local-ΕΨΗΕΛΩΝ
                5 hours ago




                I think the OP is worrying about foreign immigration officers asking him to show his social media
                – usr-local-ΕΨΗΕΛΩΝ
                5 hours ago










                up vote
                3
                down vote













                If you need to login using someone else's computer, there is no certain way to know for certain if there is any form of spying software. Even if it is someone you trust, they could be infected with a virus or a similar nefarious device, and it can be hard to impossible to know if it is infected. Always assume that a nefarious entity will still be able to view/access anything that happens on the computer. Here are a few ways you can try to mitigate the risks.



                There is no possible way to ensure that the person's OS is not compromised. You can look at the running processes, examine call stacks, network requests or anything, but spyware programs can be extremely well disguised. The best possible solution is to boot from a live USB stick using a linux distribution such as Ubuntu, puppy linux or Kali linux. This means that you should have full control of the software running on the computer, although a determined hacker could insert malicious code into the BIOS or bootloader of the computer, changing the actual code of the operating system.



                Mitigation of Hardware based vulnerabilities




                • Check the cable between the computer and the display. A device can be inserted in between them allowing a hacker to see the display output.

                • Avoid using a wireless keyboard or mouse. The signal can be intercepted between the transmitter and receiver, exposing keystrokes and mouse movements, even via a separate device.

                • Plug any USB devices directly into the motherboard. Don't use a PCIe slot, as the device could be storing/transmitting keystrokes/commands. The same applies to front panel connectors.

                • Use a different keyboard, if possible. Devices can take the sounds of individual keys being pressed to decipher which key it was. Unplug any microphones connected to the computer, just in case.

                • Look to see if there are any extra PCIe or serial port devices plugged in. Ensure only the required ones are plugged in, just in case.


                Software methods of decreasing the risk




                • Ensure you connect to a secured WiFi network, or ethernet, if you know it is safe. It is probably better to use mobile data, and a mobile hotspot, if possible, so you don't have to rely on their internet connection. Use a USB cable as well, if possible, so you don't run the risk of an alternative WiFi connection intercepting the signal instead.

                • Use SSL. This is obvious, but you must ensure the certificate authority is the one that you would expect to see, as it is possible for an entity to insert a self-signed certificate into the chain.


                The last thing is that you should, if possible, temporarily change your password (maybe using your phone) while you login using that computer, then change it back afterwards, so if the password is compromised, it will not be usable after it is changed back.






                share|improve this answer








                New contributor




                Theoremiser is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.






















                  up vote
                  3
                  down vote













                  If you need to login using someone else's computer, there is no certain way to know for certain if there is any form of spying software. Even if it is someone you trust, they could be infected with a virus or a similar nefarious device, and it can be hard to impossible to know if it is infected. Always assume that a nefarious entity will still be able to view/access anything that happens on the computer. Here are a few ways you can try to mitigate the risks.



                  There is no possible way to ensure that the person's OS is not compromised. You can look at the running processes, examine call stacks, network requests or anything, but spyware programs can be extremely well disguised. The best possible solution is to boot from a live USB stick using a linux distribution such as Ubuntu, puppy linux or Kali linux. This means that you should have full control of the software running on the computer, although a determined hacker could insert malicious code into the BIOS or bootloader of the computer, changing the actual code of the operating system.



                  Mitigation of Hardware based vulnerabilities




                  • Check the cable between the computer and the display. A device can be inserted in between them allowing a hacker to see the display output.

                  • Avoid using a wireless keyboard or mouse. The signal can be intercepted between the transmitter and receiver, exposing keystrokes and mouse movements, even via a separate device.

                  • Plug any USB devices directly into the motherboard. Don't use a PCIe slot, as the device could be storing/transmitting keystrokes/commands. The same applies to front panel connectors.

                  • Use a different keyboard, if possible. Devices can take the sounds of individual keys being pressed to decipher which key it was. Unplug any microphones connected to the computer, just in case.

                  • Look to see if there are any extra PCIe or serial port devices plugged in. Ensure only the required ones are plugged in, just in case.


                  Software methods of decreasing the risk




                  • Ensure you connect to a secured WiFi network, or ethernet, if you know it is safe. It is probably better to use mobile data, and a mobile hotspot, if possible, so you don't have to rely on their internet connection. Use a USB cable as well, if possible, so you don't run the risk of an alternative WiFi connection intercepting the signal instead.

                  • Use SSL. This is obvious, but you must ensure the certificate authority is the one that you would expect to see, as it is possible for an entity to insert a self-signed certificate into the chain.


                  The last thing is that you should, if possible, temporarily change your password (maybe using your phone) while you login using that computer, then change it back afterwards, so if the password is compromised, it will not be usable after it is changed back.






                  share|improve this answer








                  New contributor




                  Theoremiser is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.




















                    up vote
                    3
                    down vote










                    up vote
                    3
                    down vote









                    If you need to login using someone else's computer, there is no certain way to know for certain if there is any form of spying software. Even if it is someone you trust, they could be infected with a virus or a similar nefarious device, and it can be hard to impossible to know if it is infected. Always assume that a nefarious entity will still be able to view/access anything that happens on the computer. Here are a few ways you can try to mitigate the risks.



                    There is no possible way to ensure that the person's OS is not compromised. You can look at the running processes, examine call stacks, network requests or anything, but spyware programs can be extremely well disguised. The best possible solution is to boot from a live USB stick using a linux distribution such as Ubuntu, puppy linux or Kali linux. This means that you should have full control of the software running on the computer, although a determined hacker could insert malicious code into the BIOS or bootloader of the computer, changing the actual code of the operating system.



                    Mitigation of Hardware based vulnerabilities




                    • Check the cable between the computer and the display. A device can be inserted in between them allowing a hacker to see the display output.

                    • Avoid using a wireless keyboard or mouse. The signal can be intercepted between the transmitter and receiver, exposing keystrokes and mouse movements, even via a separate device.

                    • Plug any USB devices directly into the motherboard. Don't use a PCIe slot, as the device could be storing/transmitting keystrokes/commands. The same applies to front panel connectors.

                    • Use a different keyboard, if possible. Devices can take the sounds of individual keys being pressed to decipher which key it was. Unplug any microphones connected to the computer, just in case.

                    • Look to see if there are any extra PCIe or serial port devices plugged in. Ensure only the required ones are plugged in, just in case.


                    Software methods of decreasing the risk




                    • Ensure you connect to a secured WiFi network, or ethernet, if you know it is safe. It is probably better to use mobile data, and a mobile hotspot, if possible, so you don't have to rely on their internet connection. Use a USB cable as well, if possible, so you don't run the risk of an alternative WiFi connection intercepting the signal instead.

                    • Use SSL. This is obvious, but you must ensure the certificate authority is the one that you would expect to see, as it is possible for an entity to insert a self-signed certificate into the chain.


                    The last thing is that you should, if possible, temporarily change your password (maybe using your phone) while you login using that computer, then change it back afterwards, so if the password is compromised, it will not be usable after it is changed back.






                    share|improve this answer








                    New contributor




                    Theoremiser is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.









                    If you need to login using someone else's computer, there is no certain way to know for certain if there is any form of spying software. Even if it is someone you trust, they could be infected with a virus or a similar nefarious device, and it can be hard to impossible to know if it is infected. Always assume that a nefarious entity will still be able to view/access anything that happens on the computer. Here are a few ways you can try to mitigate the risks.



                    There is no possible way to ensure that the person's OS is not compromised. You can look at the running processes, examine call stacks, network requests or anything, but spyware programs can be extremely well disguised. The best possible solution is to boot from a live USB stick using a linux distribution such as Ubuntu, puppy linux or Kali linux. This means that you should have full control of the software running on the computer, although a determined hacker could insert malicious code into the BIOS or bootloader of the computer, changing the actual code of the operating system.



                    Mitigation of Hardware based vulnerabilities




                    • Check the cable between the computer and the display. A device can be inserted in between them allowing a hacker to see the display output.

                    • Avoid using a wireless keyboard or mouse. The signal can be intercepted between the transmitter and receiver, exposing keystrokes and mouse movements, even via a separate device.

                    • Plug any USB devices directly into the motherboard. Don't use a PCIe slot, as the device could be storing/transmitting keystrokes/commands. The same applies to front panel connectors.

                    • Use a different keyboard, if possible. Devices can take the sounds of individual keys being pressed to decipher which key it was. Unplug any microphones connected to the computer, just in case.

                    • Look to see if there are any extra PCIe or serial port devices plugged in. Ensure only the required ones are plugged in, just in case.


                    Software methods of decreasing the risk




                    • Ensure you connect to a secured WiFi network, or ethernet, if you know it is safe. It is probably better to use mobile data, and a mobile hotspot, if possible, so you don't have to rely on their internet connection. Use a USB cable as well, if possible, so you don't run the risk of an alternative WiFi connection intercepting the signal instead.

                    • Use SSL. This is obvious, but you must ensure the certificate authority is the one that you would expect to see, as it is possible for an entity to insert a self-signed certificate into the chain.


                    The last thing is that you should, if possible, temporarily change your password (maybe using your phone) while you login using that computer, then change it back afterwards, so if the password is compromised, it will not be usable after it is changed back.







                    share|improve this answer








                    New contributor




                    Theoremiser is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.









                    share|improve this answer



                    share|improve this answer






                    New contributor




                    Theoremiser is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.









                    answered 2 days ago









                    Theoremiser

                    1313




                    1313




                    New contributor




                    Theoremiser is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.





                    New contributor





                    Theoremiser is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.






                    Theoremiser is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.






















                        up vote
                        1
                        down vote













                        In theory, if the site doesn't provide you a better way to do this, there is still a way: login on a device that is under your control, and transfer the session cookie you receive from that device to the untrusted computer. This will allow the untrusted computer to perform any operation you can perform on the site once logged in, but unless the site has fatally bad security design, it will not allow the untrusted computer to change your password, change the email address associated with the account, or perform other account-takeover operations.



                        Once you're done, you can use the trusted device you control to log out its session cookie (which you copied from it) by performing the logout operation there, or perform a "logout all devices" operation if the site provides such a feature.



                        Note that under this scheme, your password is never entered on the untrusted computer, and thereby it has no means of recording/capturing it. At best it can capture the session cookie, which you will invalidate by logging out using the trusted device once you're done.






                        share|improve this answer

























                          up vote
                          1
                          down vote













                          In theory, if the site doesn't provide you a better way to do this, there is still a way: login on a device that is under your control, and transfer the session cookie you receive from that device to the untrusted computer. This will allow the untrusted computer to perform any operation you can perform on the site once logged in, but unless the site has fatally bad security design, it will not allow the untrusted computer to change your password, change the email address associated with the account, or perform other account-takeover operations.



                          Once you're done, you can use the trusted device you control to log out its session cookie (which you copied from it) by performing the logout operation there, or perform a "logout all devices" operation if the site provides such a feature.



                          Note that under this scheme, your password is never entered on the untrusted computer, and thereby it has no means of recording/capturing it. At best it can capture the session cookie, which you will invalidate by logging out using the trusted device once you're done.






                          share|improve this answer























                            up vote
                            1
                            down vote










                            up vote
                            1
                            down vote









                            In theory, if the site doesn't provide you a better way to do this, there is still a way: login on a device that is under your control, and transfer the session cookie you receive from that device to the untrusted computer. This will allow the untrusted computer to perform any operation you can perform on the site once logged in, but unless the site has fatally bad security design, it will not allow the untrusted computer to change your password, change the email address associated with the account, or perform other account-takeover operations.



                            Once you're done, you can use the trusted device you control to log out its session cookie (which you copied from it) by performing the logout operation there, or perform a "logout all devices" operation if the site provides such a feature.



                            Note that under this scheme, your password is never entered on the untrusted computer, and thereby it has no means of recording/capturing it. At best it can capture the session cookie, which you will invalidate by logging out using the trusted device once you're done.






                            share|improve this answer












                            In theory, if the site doesn't provide you a better way to do this, there is still a way: login on a device that is under your control, and transfer the session cookie you receive from that device to the untrusted computer. This will allow the untrusted computer to perform any operation you can perform on the site once logged in, but unless the site has fatally bad security design, it will not allow the untrusted computer to change your password, change the email address associated with the account, or perform other account-takeover operations.



                            Once you're done, you can use the trusted device you control to log out its session cookie (which you copied from it) by performing the logout operation there, or perform a "logout all devices" operation if the site provides such a feature.



                            Note that under this scheme, your password is never entered on the untrusted computer, and thereby it has no means of recording/capturing it. At best it can capture the session cookie, which you will invalidate by logging out using the trusted device once you're done.







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered 10 hours ago









                            R..

                            4,54711418




                            4,54711418






















                                up vote
                                0
                                down vote













                                If you trust that person, go ahead and use their computer. Consider creating a separate browser profile which you can wipe clean after you're done without erasing that person's cookies / settings / whatever. Take note of any attachments you download so that you can remove these as well. Don't just open attached files, unless you want to play detective figuring out which of the possible "temp" locations was used to store them. And avoid manipulating any sensitive data which is not related to the purpose forcing you to use someone else's computer.



                                If you don't trust the person, don't use their computer. There's no way of securing an unknown computer 100%, and even less so without doing things which will make the other person suspect that you're trying to hack them. At which point you will probably be denied to use their computer anyway.






                                share|improve this answer





















                                • I trust my grandmother. I do not trust that her computer is clean.
                                  – schroeder
                                  2 mins ago















                                up vote
                                0
                                down vote













                                If you trust that person, go ahead and use their computer. Consider creating a separate browser profile which you can wipe clean after you're done without erasing that person's cookies / settings / whatever. Take note of any attachments you download so that you can remove these as well. Don't just open attached files, unless you want to play detective figuring out which of the possible "temp" locations was used to store them. And avoid manipulating any sensitive data which is not related to the purpose forcing you to use someone else's computer.



                                If you don't trust the person, don't use their computer. There's no way of securing an unknown computer 100%, and even less so without doing things which will make the other person suspect that you're trying to hack them. At which point you will probably be denied to use their computer anyway.






                                share|improve this answer





















                                • I trust my grandmother. I do not trust that her computer is clean.
                                  – schroeder
                                  2 mins ago













                                up vote
                                0
                                down vote










                                up vote
                                0
                                down vote









                                If you trust that person, go ahead and use their computer. Consider creating a separate browser profile which you can wipe clean after you're done without erasing that person's cookies / settings / whatever. Take note of any attachments you download so that you can remove these as well. Don't just open attached files, unless you want to play detective figuring out which of the possible "temp" locations was used to store them. And avoid manipulating any sensitive data which is not related to the purpose forcing you to use someone else's computer.



                                If you don't trust the person, don't use their computer. There's no way of securing an unknown computer 100%, and even less so without doing things which will make the other person suspect that you're trying to hack them. At which point you will probably be denied to use their computer anyway.






                                share|improve this answer












                                If you trust that person, go ahead and use their computer. Consider creating a separate browser profile which you can wipe clean after you're done without erasing that person's cookies / settings / whatever. Take note of any attachments you download so that you can remove these as well. Don't just open attached files, unless you want to play detective figuring out which of the possible "temp" locations was used to store them. And avoid manipulating any sensitive data which is not related to the purpose forcing you to use someone else's computer.



                                If you don't trust the person, don't use their computer. There's no way of securing an unknown computer 100%, and even less so without doing things which will make the other person suspect that you're trying to hack them. At which point you will probably be denied to use their computer anyway.







                                share|improve this answer












                                share|improve this answer



                                share|improve this answer










                                answered 1 hour ago









                                Dmitry Grigoryev

                                7,3801940




                                7,3801940












                                • I trust my grandmother. I do not trust that her computer is clean.
                                  – schroeder
                                  2 mins ago


















                                • I trust my grandmother. I do not trust that her computer is clean.
                                  – schroeder
                                  2 mins ago
















                                I trust my grandmother. I do not trust that her computer is clean.
                                – schroeder
                                2 mins ago




                                I trust my grandmother. I do not trust that her computer is clean.
                                – schroeder
                                2 mins ago










                                up vote
                                -2
                                down vote













                                When you suspect the system is keylogged you would need to be able to interrupt that process to do what you are asking.



                                That might be a visible process though - so if it's mission critical try finding that process or creating another user account with an encrypted terminal in a sandbox to see if you can avoid logging that way - i.e. Linux with encrypted home folder & swap as an example.






                                share|improve this answer

















                                • 1




                                  How would a sandboxed process or an encrypted home directory defeat keylogging?
                                  – forest
                                  Nov 30 at 7:23










                                • I suggested interrupting the keylogging process - If the process monitored one user account and another account were encrypted - it might accomplish the desired result of not being logged. Attempting this in a sandboxed environment rather than just doing it cuts down on the risk in case it doesn't.
                                  – user192527
                                  Nov 30 at 7:25












                                • If you are running under a different user, then there's no need to encrypt anything or use sandboxes. For Linux (since you mentioned Linux), individual users are isolated from each other and X11-based keyloggers will not work. However, if the hardware is controlled by someone malicious, then even encryption and a sandboxed terminal wouldn't help.
                                  – forest
                                  Nov 30 at 7:27










                                • I suggested testing the idea in a sandbox. The main goal is to interrupt the keylogger if possible and if not to try to obfuscate by using other accounts etc.
                                  – user192527
                                  Nov 30 at 7:36






                                • 1




                                  There are hardware keyloggers. This answer assume there is some "process" to "interrupt," which is totally wrong. It might mitigate one very specific risk, but it completely ignores other serious risks.
                                  – David Conrad
                                  yesterday















                                up vote
                                -2
                                down vote













                                When you suspect the system is keylogged you would need to be able to interrupt that process to do what you are asking.



                                That might be a visible process though - so if it's mission critical try finding that process or creating another user account with an encrypted terminal in a sandbox to see if you can avoid logging that way - i.e. Linux with encrypted home folder & swap as an example.






                                share|improve this answer

















                                • 1




                                  How would a sandboxed process or an encrypted home directory defeat keylogging?
                                  – forest
                                  Nov 30 at 7:23










                                • I suggested interrupting the keylogging process - If the process monitored one user account and another account were encrypted - it might accomplish the desired result of not being logged. Attempting this in a sandboxed environment rather than just doing it cuts down on the risk in case it doesn't.
                                  – user192527
                                  Nov 30 at 7:25












                                • If you are running under a different user, then there's no need to encrypt anything or use sandboxes. For Linux (since you mentioned Linux), individual users are isolated from each other and X11-based keyloggers will not work. However, if the hardware is controlled by someone malicious, then even encryption and a sandboxed terminal wouldn't help.
                                  – forest
                                  Nov 30 at 7:27










                                • I suggested testing the idea in a sandbox. The main goal is to interrupt the keylogger if possible and if not to try to obfuscate by using other accounts etc.
                                  – user192527
                                  Nov 30 at 7:36






                                • 1




                                  There are hardware keyloggers. This answer assume there is some "process" to "interrupt," which is totally wrong. It might mitigate one very specific risk, but it completely ignores other serious risks.
                                  – David Conrad
                                  yesterday













                                up vote
                                -2
                                down vote










                                up vote
                                -2
                                down vote









                                When you suspect the system is keylogged you would need to be able to interrupt that process to do what you are asking.



                                That might be a visible process though - so if it's mission critical try finding that process or creating another user account with an encrypted terminal in a sandbox to see if you can avoid logging that way - i.e. Linux with encrypted home folder & swap as an example.






                                share|improve this answer












                                When you suspect the system is keylogged you would need to be able to interrupt that process to do what you are asking.



                                That might be a visible process though - so if it's mission critical try finding that process or creating another user account with an encrypted terminal in a sandbox to see if you can avoid logging that way - i.e. Linux with encrypted home folder & swap as an example.







                                share|improve this answer












                                share|improve this answer



                                share|improve this answer










                                answered Nov 30 at 7:03







                                user192527















                                • 1




                                  How would a sandboxed process or an encrypted home directory defeat keylogging?
                                  – forest
                                  Nov 30 at 7:23










                                • I suggested interrupting the keylogging process - If the process monitored one user account and another account were encrypted - it might accomplish the desired result of not being logged. Attempting this in a sandboxed environment rather than just doing it cuts down on the risk in case it doesn't.
                                  – user192527
                                  Nov 30 at 7:25












                                • If you are running under a different user, then there's no need to encrypt anything or use sandboxes. For Linux (since you mentioned Linux), individual users are isolated from each other and X11-based keyloggers will not work. However, if the hardware is controlled by someone malicious, then even encryption and a sandboxed terminal wouldn't help.
                                  – forest
                                  Nov 30 at 7:27










                                • I suggested testing the idea in a sandbox. The main goal is to interrupt the keylogger if possible and if not to try to obfuscate by using other accounts etc.
                                  – user192527
                                  Nov 30 at 7:36






                                • 1




                                  There are hardware keyloggers. This answer assume there is some "process" to "interrupt," which is totally wrong. It might mitigate one very specific risk, but it completely ignores other serious risks.
                                  – David Conrad
                                  yesterday














                                • 1




                                  How would a sandboxed process or an encrypted home directory defeat keylogging?
                                  – forest
                                  Nov 30 at 7:23










                                • I suggested interrupting the keylogging process - If the process monitored one user account and another account were encrypted - it might accomplish the desired result of not being logged. Attempting this in a sandboxed environment rather than just doing it cuts down on the risk in case it doesn't.
                                  – user192527
                                  Nov 30 at 7:25












                                • If you are running under a different user, then there's no need to encrypt anything or use sandboxes. For Linux (since you mentioned Linux), individual users are isolated from each other and X11-based keyloggers will not work. However, if the hardware is controlled by someone malicious, then even encryption and a sandboxed terminal wouldn't help.
                                  – forest
                                  Nov 30 at 7:27










                                • I suggested testing the idea in a sandbox. The main goal is to interrupt the keylogger if possible and if not to try to obfuscate by using other accounts etc.
                                  – user192527
                                  Nov 30 at 7:36






                                • 1




                                  There are hardware keyloggers. This answer assume there is some "process" to "interrupt," which is totally wrong. It might mitigate one very specific risk, but it completely ignores other serious risks.
                                  – David Conrad
                                  yesterday








                                1




                                1




                                How would a sandboxed process or an encrypted home directory defeat keylogging?
                                – forest
                                Nov 30 at 7:23




                                How would a sandboxed process or an encrypted home directory defeat keylogging?
                                – forest
                                Nov 30 at 7:23












                                I suggested interrupting the keylogging process - If the process monitored one user account and another account were encrypted - it might accomplish the desired result of not being logged. Attempting this in a sandboxed environment rather than just doing it cuts down on the risk in case it doesn't.
                                – user192527
                                Nov 30 at 7:25






                                I suggested interrupting the keylogging process - If the process monitored one user account and another account were encrypted - it might accomplish the desired result of not being logged. Attempting this in a sandboxed environment rather than just doing it cuts down on the risk in case it doesn't.
                                – user192527
                                Nov 30 at 7:25














                                If you are running under a different user, then there's no need to encrypt anything or use sandboxes. For Linux (since you mentioned Linux), individual users are isolated from each other and X11-based keyloggers will not work. However, if the hardware is controlled by someone malicious, then even encryption and a sandboxed terminal wouldn't help.
                                – forest
                                Nov 30 at 7:27




                                If you are running under a different user, then there's no need to encrypt anything or use sandboxes. For Linux (since you mentioned Linux), individual users are isolated from each other and X11-based keyloggers will not work. However, if the hardware is controlled by someone malicious, then even encryption and a sandboxed terminal wouldn't help.
                                – forest
                                Nov 30 at 7:27












                                I suggested testing the idea in a sandbox. The main goal is to interrupt the keylogger if possible and if not to try to obfuscate by using other accounts etc.
                                – user192527
                                Nov 30 at 7:36




                                I suggested testing the idea in a sandbox. The main goal is to interrupt the keylogger if possible and if not to try to obfuscate by using other accounts etc.
                                – user192527
                                Nov 30 at 7:36




                                1




                                1




                                There are hardware keyloggers. This answer assume there is some "process" to "interrupt," which is totally wrong. It might mitigate one very specific risk, but it completely ignores other serious risks.
                                – David Conrad
                                yesterday




                                There are hardware keyloggers. This answer assume there is some "process" to "interrupt," which is totally wrong. It might mitigate one very specific risk, but it completely ignores other serious risks.
                                – David Conrad
                                yesterday










                                today is a new contributor. Be nice, and check out our Code of Conduct.










                                draft saved

                                draft discarded


















                                today is a new contributor. Be nice, and check out our Code of Conduct.













                                today is a new contributor. Be nice, and check out our Code of Conduct.












                                today is a new contributor. Be nice, and check out our Code of Conduct.
















                                Thanks for contributing an answer to Information Security Stack Exchange!


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid



                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.


                                To learn more, see our tips on writing great answers.





                                Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                                Please pay close attention to the following guidance:


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid



                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.


                                To learn more, see our tips on writing great answers.




                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function () {
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f198726%2fsecure-way-to-log-in-to-a-website-on-someone-elses-computer%23new-answer', 'question_page');
                                }
                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown







                                Popular posts from this blog

                                AnyDesk - Fatal Program Failure

                                How to calibrate 16:9 built-in touch-screen to a 4:3 resolution?

                                QoS: MAC-Priority for clients behind a repeater