Secure way to log in to a website on someone else's computer
up vote
72
down vote
favorite
Suppose I am in a situation that I am forced to log in to my account using someone else's computer. Is there any secure way to do that so that I would be sure that my login details (i.e. password) are not recorded by any means (e.g. keystroke logging)? Or if it is impossible, what are the ways to at least mitigate the risks?
Although related, but note that this is a bit different from this question since I am not using my own computer to log in.
authentication
New contributor
|
show 4 more comments
up vote
72
down vote
favorite
Suppose I am in a situation that I am forced to log in to my account using someone else's computer. Is there any secure way to do that so that I would be sure that my login details (i.e. password) are not recorded by any means (e.g. keystroke logging)? Or if it is impossible, what are the ways to at least mitigate the risks?
Although related, but note that this is a bit different from this question since I am not using my own computer to log in.
authentication
New contributor
8
Can you create a virtual machine on their box?
– DarkMatter
Nov 29 at 16:46
4
@DarkMatter Unfortunately, no. I am not allowed to do that. Even if I am allowed, I guess it would take some time (> 15 min) to do that and they don't have enough patience :) Although, I am interested to know how that helps. Please include it as an answer if you would like.
– today
Nov 29 at 16:50
5
it all depends on how they are monitoring your activity... operating inside of your own clean VM on their box (using a clean OSK) will bypass a number of the ways they could monitor your activity. Furthermore you can also delete the VM afterward to further remove evidence of your activities. Ultimately though if they own the hardware in theory there is no way to be bullet-proof (2FA helps some to mitigate ramifications of their monitoring)
– DarkMatter
Nov 29 at 17:25
31
A live OS (booted via USB or DVD) is probably more handy. However that won't protect you from hardware keyloggers for example. The best solution seems to be what Cowthulhu suggested in the answer, 2FA, when available. Also maybe change password and force a logout on all devices once you are back home on your computer, if the service makes this possible. A lot of this also depends on how knowledgeable and determined is your "enemy".
– reed
Nov 29 at 18:17
2
A simple option is after you're finished to use your phone to change your password. In the past, some services had the ability to generate a one-time login password from your phone, but these seem to have fallen out of favour, presumably with 2FA taking their place.
– paj28
Nov 29 at 20:32
|
show 4 more comments
up vote
72
down vote
favorite
up vote
72
down vote
favorite
Suppose I am in a situation that I am forced to log in to my account using someone else's computer. Is there any secure way to do that so that I would be sure that my login details (i.e. password) are not recorded by any means (e.g. keystroke logging)? Or if it is impossible, what are the ways to at least mitigate the risks?
Although related, but note that this is a bit different from this question since I am not using my own computer to log in.
authentication
New contributor
Suppose I am in a situation that I am forced to log in to my account using someone else's computer. Is there any secure way to do that so that I would be sure that my login details (i.e. password) are not recorded by any means (e.g. keystroke logging)? Or if it is impossible, what are the ways to at least mitigate the risks?
Although related, but note that this is a bit different from this question since I am not using my own computer to log in.
authentication
authentication
New contributor
New contributor
edited 23 hours ago
Boann
1815
1815
New contributor
asked Nov 29 at 16:44
today
469147
469147
New contributor
New contributor
8
Can you create a virtual machine on their box?
– DarkMatter
Nov 29 at 16:46
4
@DarkMatter Unfortunately, no. I am not allowed to do that. Even if I am allowed, I guess it would take some time (> 15 min) to do that and they don't have enough patience :) Although, I am interested to know how that helps. Please include it as an answer if you would like.
– today
Nov 29 at 16:50
5
it all depends on how they are monitoring your activity... operating inside of your own clean VM on their box (using a clean OSK) will bypass a number of the ways they could monitor your activity. Furthermore you can also delete the VM afterward to further remove evidence of your activities. Ultimately though if they own the hardware in theory there is no way to be bullet-proof (2FA helps some to mitigate ramifications of their monitoring)
– DarkMatter
Nov 29 at 17:25
31
A live OS (booted via USB or DVD) is probably more handy. However that won't protect you from hardware keyloggers for example. The best solution seems to be what Cowthulhu suggested in the answer, 2FA, when available. Also maybe change password and force a logout on all devices once you are back home on your computer, if the service makes this possible. A lot of this also depends on how knowledgeable and determined is your "enemy".
– reed
Nov 29 at 18:17
2
A simple option is after you're finished to use your phone to change your password. In the past, some services had the ability to generate a one-time login password from your phone, but these seem to have fallen out of favour, presumably with 2FA taking their place.
– paj28
Nov 29 at 20:32
|
show 4 more comments
8
Can you create a virtual machine on their box?
– DarkMatter
Nov 29 at 16:46
4
@DarkMatter Unfortunately, no. I am not allowed to do that. Even if I am allowed, I guess it would take some time (> 15 min) to do that and they don't have enough patience :) Although, I am interested to know how that helps. Please include it as an answer if you would like.
– today
Nov 29 at 16:50
5
it all depends on how they are monitoring your activity... operating inside of your own clean VM on their box (using a clean OSK) will bypass a number of the ways they could monitor your activity. Furthermore you can also delete the VM afterward to further remove evidence of your activities. Ultimately though if they own the hardware in theory there is no way to be bullet-proof (2FA helps some to mitigate ramifications of their monitoring)
– DarkMatter
Nov 29 at 17:25
31
A live OS (booted via USB or DVD) is probably more handy. However that won't protect you from hardware keyloggers for example. The best solution seems to be what Cowthulhu suggested in the answer, 2FA, when available. Also maybe change password and force a logout on all devices once you are back home on your computer, if the service makes this possible. A lot of this also depends on how knowledgeable and determined is your "enemy".
– reed
Nov 29 at 18:17
2
A simple option is after you're finished to use your phone to change your password. In the past, some services had the ability to generate a one-time login password from your phone, but these seem to have fallen out of favour, presumably with 2FA taking their place.
– paj28
Nov 29 at 20:32
8
8
Can you create a virtual machine on their box?
– DarkMatter
Nov 29 at 16:46
Can you create a virtual machine on their box?
– DarkMatter
Nov 29 at 16:46
4
4
@DarkMatter Unfortunately, no. I am not allowed to do that. Even if I am allowed, I guess it would take some time (> 15 min) to do that and they don't have enough patience :) Although, I am interested to know how that helps. Please include it as an answer if you would like.
– today
Nov 29 at 16:50
@DarkMatter Unfortunately, no. I am not allowed to do that. Even if I am allowed, I guess it would take some time (> 15 min) to do that and they don't have enough patience :) Although, I am interested to know how that helps. Please include it as an answer if you would like.
– today
Nov 29 at 16:50
5
5
it all depends on how they are monitoring your activity... operating inside of your own clean VM on their box (using a clean OSK) will bypass a number of the ways they could monitor your activity. Furthermore you can also delete the VM afterward to further remove evidence of your activities. Ultimately though if they own the hardware in theory there is no way to be bullet-proof (2FA helps some to mitigate ramifications of their monitoring)
– DarkMatter
Nov 29 at 17:25
it all depends on how they are monitoring your activity... operating inside of your own clean VM on their box (using a clean OSK) will bypass a number of the ways they could monitor your activity. Furthermore you can also delete the VM afterward to further remove evidence of your activities. Ultimately though if they own the hardware in theory there is no way to be bullet-proof (2FA helps some to mitigate ramifications of their monitoring)
– DarkMatter
Nov 29 at 17:25
31
31
A live OS (booted via USB or DVD) is probably more handy. However that won't protect you from hardware keyloggers for example. The best solution seems to be what Cowthulhu suggested in the answer, 2FA, when available. Also maybe change password and force a logout on all devices once you are back home on your computer, if the service makes this possible. A lot of this also depends on how knowledgeable and determined is your "enemy".
– reed
Nov 29 at 18:17
A live OS (booted via USB or DVD) is probably more handy. However that won't protect you from hardware keyloggers for example. The best solution seems to be what Cowthulhu suggested in the answer, 2FA, when available. Also maybe change password and force a logout on all devices once you are back home on your computer, if the service makes this possible. A lot of this also depends on how knowledgeable and determined is your "enemy".
– reed
Nov 29 at 18:17
2
2
A simple option is after you're finished to use your phone to change your password. In the past, some services had the ability to generate a one-time login password from your phone, but these seem to have fallen out of favour, presumably with 2FA taking their place.
– paj28
Nov 29 at 20:32
A simple option is after you're finished to use your phone to change your password. In the past, some services had the ability to generate a one-time login password from your phone, but these seem to have fallen out of favour, presumably with 2FA taking their place.
– paj28
Nov 29 at 20:32
|
show 4 more comments
11 Answers
11
active
oldest
votes
up vote
86
down vote
This is an interesting question!
The rule of thumb is that if someone else has control of the device (and they're determined enough), they will always be able to monitor and modify all of your actions on the device.
We can (to a somewhat limited extent) get around this though! Two-factor authentication can be used to ensure that even if someone has your password, they cannot get into your account without also having access to a separate device (owned and controlled by you).
Keep in mind that once you log in, the computer ultimately has control over your interaction with the website, and as a result it could trivially see everything you do on the site and, less trivially, modify your requests to the site (including not logging you out properly when you're done, and potentially changing your login details to lock you out of your own account).
This all depends on how worried you are about being attacked - if you're just logging into Facebook on a friends computer, you can probably trust that when you hit "Log Out", it actually logs you out. If you're logging into your bank, however, you may want to stick to devices you control.
Additionally, consider the following, via user TemporalWolf
Some websites allow for the generation of single-use one time passwords which sidesteps any sort of password logging... as you mentioned, this doesn't stop them from mucking with the now authenticated session.
2
"you can probably trust that when you hit "Log Out", it actually logs you out." Unless your friend unknowingly has malware on their computer.
– Qwertie
Nov 30 at 5:07
12
Since this is saying that someone else having control of a device ensures they will always be able to monitor actions that take place on it, it is the only correct answer.
– forest
Nov 30 at 7:25
@NotThatGuy I think if you submit an edit request?
– Cowthulhu
2 days ago
3
The issue with 2FA is that if indeed the attacker did have a keylogger and indeed modified the requests to the website(s) to essentially block a logout, they would then be able to change your account password/2FA settings having keylogged your password when you logged in. I don't know of any services that require 2FA to change the password once already authenticated. So that's an interesting dilemma.
– Chris Cirefice
2 days ago
2
"If you're entering missile launch codes however, you may want to stick to devices you control." -- aren't those pretty much a textbook example of immunity to replay attacks? You can't kick off global thermonuclear war twice.
– Steve Jessop
yesterday
|
show 4 more comments
up vote
28
down vote
In my practice, when I need extra security, I usually change the password on my phone (or another trusted device), then log in on the untrusted computer and after everything is done, change my password back (if possible).
This relies on the fact that changing password logs you out everywhere, for most websites. It's rather practical.
Alternatively, some websites offer a "session control" where you can force detach / terminate sessions if you want.
Besides what I said above, I also have a 128 GiB portable SSD with me, formatted to GPT and has 3 partitions: the EFI System Partition, an Ubuntu, and a Windows To Go.
While software security wasn't my concern while creating this portable SSD, it is undoubtedly a good gadget to have for the purpose. Theoretically and practically, running operating systems on such self-made pieces of storage provides a fully trusted software environment, and can 100% eliminate any software thread on the foreign machine.
As others have answered, such gadgets usually aren't effective against hardware-based intrusion, for example a key logger (unless some stupid ones require drivers to work, then you can LOL). For those things, you have better check them by looking at the hardware ports. If there's anything malicious inside the crate, then you're out of luck.
But again, it's an interpersonal question. If you're logging in on your trusted friend's computer, and the friend isn't a techie, you probably need no more actions than launching the browser in incognito or InPrivate (Internet Explorer) mode.
That's a good idea, which doesn't require special knowledge nor tools, and keeps things secure enough.
– a25bedc5-3d09-41b8-82fb-ea6c353d75ae
Nov 30 at 13:06
Having a portable SSD is surely a good idea, but looking from the other side, I would never let somebody boot my computer with his own OS.
– martinstoeckli
1 hour ago
add a comment |
up vote
16
down vote
Use SQRL
If a website supports SQRL (https://www.grc.com/sqrl/sqrl.htm) then you have the option of having it display a QR code in the computer's browser that you let the SQRL app in your cell phone read, and thereby negotiate the authentication out of band.
SQRL is not yet widely adopted, but this precise use case was designed in from the beginning. (The other main use case is a SQRL app on your computer working in concert with the browser). In neither case is a password transmitted; SQRL uses Elliptic Curve public/private key technology to sign a nonce presented by the server to prove the user has the private key associated with the public key stored on the server in the user's account info.
It's a very interesting method! I was not aware of it at all. Thanks for mentioning it.
– today
Nov 29 at 21:54
3
The concept is definitely interesting, although it may need some (more) peer review and usability testing in practice. Anyway, this solution is not practical today, and the author of the question seemed to ask mainly as a user and not as a developer. Try using this method with Google, Amazon or Facebook today.
– caw
Nov 30 at 1:28
Unfortunately, the question doesn't specify what "my account" means - on your own website? On Facebook? That's a difference because in one you control the login mechanism and on the other you don't.
– Tom
Nov 30 at 5:10
18
security.blogoverflow.com/2013/10/debunking-sqrl - A well designed solution such as U2F is probably better than what Steve Gibson (which is largely a crank) managed to sting together by himself.
– vidarlo
Nov 30 at 6:41
What about something like the WhatsApp Desktop App, where you login by scanning a QR code and can log out from your smartphone?
– pytago
Nov 30 at 10:47
|
show 3 more comments
up vote
13
down vote
If you encounter this situation regularly, try the following:
Create a Tails live USB stick. Tails is a Linux operating system designed to run off a USB, which can be booted on most computers. Using Tails means that you don't need to worry about any software that the hostile computer may have installed. Because you are completely bypassing it from boot.
Use the on-screen keyboard. You should cover this with your hand as you type, to prevent anyone from observing. This defends against hardware based key-loggers. Note that you don't need to worry about screen-recording software, because you are running Tails, which means that you have full control over all software running on the system.
Edit:
As @Xen2050 mentioned in the comments, you can also achieve this with other operating systems which may be more user friendly. For instance, here are instructions for creating a live Ubuntu Linux USB on Windows, Mac or Ubuntu. And here are the instructions for accessing the on-screen keyboard on Ubuntu.
Potential weaknesses of this method:
This method is vulnerable to the following:
- Hardware based screen recording. It is possible to insert a device between the computer and the screen which will record everything sent to the screen. For example, this one. To protect against this, inspect the cable, and make sure there are no devices between the computer and the screen. Note however, that it is possible to install internal screen recording devices which would be much more difficult to detect. If you suspect this, then you may be able to circumvent them by unplugging the screen from the back of the computer, and reconnecting it to a different port.
- Malicious firmware, BIOS, rootkit, etc. This is probably the most difficult vulnerability to defend against. If you suspect that the computer you are using has malicious firmware, don't use it! Find another way to login to the website, or don't login to it.
New contributor
3
For unknown hardware, and since you don't seem to need the network properties of TAILS, using a more friendly and bootable distro like Mint or Ubuntu or other beginner-friendly one might be a lot more successful; TAILS might not have nearly as much luck booting on "new" unknown devices
– Xen2050
Nov 30 at 11:41
@Xen2050 Windows To Go is also a good alternative!
– iBug
Nov 30 at 13:19
Good point @Xen2050
– daviewales
2 days ago
UnderHardware based recording
, you could actually mention a hardware based keystroke logger that may be embedded in keyboard itself. This seems more likely if the person who owns the computer is trying to steal the OP's passwords.
– Private
2 days ago
1
"Using the on-screen keyboard defends against hardware based key-loggers" - unless they include a mouse logger (for click coordinates etc) :-)
– Bergi
23 hours ago
|
show 4 more comments
up vote
5
down vote
There is one thing you can do on sites that allow it (Google being one): Use a "have" factor of authentication, such as TOTP or a mobile app to approve logins. You don't have to use 2FA - that can be your only factor. I have some of my non-critical servers set to allow password OR totp, so I can log in with one or the other, without needing both. While, as others pointed out, that doesn't make you completely secure (after you log in the attacker could disable input and do whatever they want now that you're logged in), it prevents disclosing any passwords.
add a comment |
up vote
4
down vote
It is a major PIA, but relatively secure with respect to protecting your password. Mostly because it is such a PIA that nobody is likely to put together what is needed to capture it. Which means the caveat about security through obscurity likely applies here...
- Open text editor of choice.
- Type out the full alphabet in both upper and lower case.
- type out the full range of numbers and symbols that are available.
- Copy and paste letter by letter to enter your password on the web form.
- As an added layer of obfuscation, don't grab the letters in the same order as the final password
I can think of a few techniques where I might be able to capture the password of someone using this technique, but none of them are what I would consider easy or straightforward.
Also worth noting that this technique was originally suggested as a counter measure by my CEH instructor. It is not perfect, but it is a semi-decent option that doesn't require much in the way of prior preparation.
New contributor
16
Surely an off-the-shelf screen recorder would counter this?
– Draconis
Nov 29 at 20:20
Interesting solution, especially that I see it was recommended by your CEH instructor! Actually, I was thinking about such a solution before you post this but then I thought maybe it is a bit weird! Of course, as @Draconis mentioned, an screen recorder might be able to counter this as well.
– today
Nov 29 at 20:40
3
@Draconis probably, hadn't considered that option but high chance it would work. I had my doubts when this was suggested by the instructor, but it is better than nothing, and does protect against most keystroke loggers. But if I were wanting to capture someone's login credentials for a web site I would use a browser extension or proxy to log the post data. Making all of this worthless...
– Rozwel
Nov 29 at 20:44
5
A clipboard logger would work very well up until step 5. Most packaged malware I've seen includes a clipboard logger with keylogger.
– Nathan Goings
Nov 29 at 21:39
1
@NathanGoings It's not like there would be that many permutations. Checking every combination one by one seems trivial.
– JoL
Nov 29 at 21:43
|
show 4 more comments
up vote
3
down vote
The best way to protect yourself is to tell the person that you are not comfortable entering your password at their computer.
If you have probable cause or general paranoia then do not perform unsafe actions.
Expecting to thoroughly detect and/or mitigate all threat models in a matter of seconds is ludicrous.
What is the threat model anyways? Do you not trust the person? Do you not trust the computer? Are you trying to prevent their access from the particular website which you are logging in to? Are you trying to prevent the discovery of your password because you use it for a hundred other services such as personal banking? Are you simply trying to figure out a universal way to not be compromised regardless of which foreign computer you encounter in the future? Are you trying to prevent the details of the post-login screen from being recorded? You may wish to sweep the area for any hidden video recording devices in the ceiling.
I think the OP is worrying about foreign immigration officers asking him to show his social media
– usr-local-ΕΨΗΕΛΩΝ
5 hours ago
add a comment |
up vote
3
down vote
If you need to login using someone else's computer, there is no certain way to know for certain if there is any form of spying software. Even if it is someone you trust, they could be infected with a virus or a similar nefarious device, and it can be hard to impossible to know if it is infected. Always assume that a nefarious entity will still be able to view/access anything that happens on the computer. Here are a few ways you can try to mitigate the risks.
There is no possible way to ensure that the person's OS is not compromised. You can look at the running processes, examine call stacks, network requests or anything, but spyware programs can be extremely well disguised. The best possible solution is to boot from a live USB stick using a linux distribution such as Ubuntu, puppy linux or Kali linux. This means that you should have full control of the software running on the computer, although a determined hacker could insert malicious code into the BIOS or bootloader of the computer, changing the actual code of the operating system.
Mitigation of Hardware based vulnerabilities
- Check the cable between the computer and the display. A device can be inserted in between them allowing a hacker to see the display output.
- Avoid using a wireless keyboard or mouse. The signal can be intercepted between the transmitter and receiver, exposing keystrokes and mouse movements, even via a separate device.
- Plug any USB devices directly into the motherboard. Don't use a PCIe slot, as the device could be storing/transmitting keystrokes/commands. The same applies to front panel connectors.
- Use a different keyboard, if possible. Devices can take the sounds of individual keys being pressed to decipher which key it was. Unplug any microphones connected to the computer, just in case.
- Look to see if there are any extra PCIe or serial port devices plugged in. Ensure only the required ones are plugged in, just in case.
Software methods of decreasing the risk
- Ensure you connect to a secured WiFi network, or ethernet, if you know it is safe. It is probably better to use mobile data, and a mobile hotspot, if possible, so you don't have to rely on their internet connection. Use a USB cable as well, if possible, so you don't run the risk of an alternative WiFi connection intercepting the signal instead.
- Use SSL. This is obvious, but you must ensure the certificate authority is the one that you would expect to see, as it is possible for an entity to insert a self-signed certificate into the chain.
The last thing is that you should, if possible, temporarily change your password (maybe using your phone) while you login using that computer, then change it back afterwards, so if the password is compromised, it will not be usable after it is changed back.
New contributor
add a comment |
up vote
1
down vote
In theory, if the site doesn't provide you a better way to do this, there is still a way: login on a device that is under your control, and transfer the session cookie you receive from that device to the untrusted computer. This will allow the untrusted computer to perform any operation you can perform on the site once logged in, but unless the site has fatally bad security design, it will not allow the untrusted computer to change your password, change the email address associated with the account, or perform other account-takeover operations.
Once you're done, you can use the trusted device you control to log out its session cookie (which you copied from it) by performing the logout operation there, or perform a "logout all devices" operation if the site provides such a feature.
Note that under this scheme, your password is never entered on the untrusted computer, and thereby it has no means of recording/capturing it. At best it can capture the session cookie, which you will invalidate by logging out using the trusted device once you're done.
add a comment |
up vote
0
down vote
If you trust that person, go ahead and use their computer. Consider creating a separate browser profile which you can wipe clean after you're done without erasing that person's cookies / settings / whatever. Take note of any attachments you download so that you can remove these as well. Don't just open attached files, unless you want to play detective figuring out which of the possible "temp" locations was used to store them. And avoid manipulating any sensitive data which is not related to the purpose forcing you to use someone else's computer.
If you don't trust the person, don't use their computer. There's no way of securing an unknown computer 100%, and even less so without doing things which will make the other person suspect that you're trying to hack them. At which point you will probably be denied to use their computer anyway.
I trust my grandmother. I do not trust that her computer is clean.
– schroeder♦
2 mins ago
add a comment |
up vote
-2
down vote
When you suspect the system is keylogged you would need to be able to interrupt that process to do what you are asking.
That might be a visible process though - so if it's mission critical try finding that process or creating another user account with an encrypted terminal in a sandbox to see if you can avoid logging that way - i.e. Linux with encrypted home folder & swap as an example.
1
How would a sandboxed process or an encrypted home directory defeat keylogging?
– forest
Nov 30 at 7:23
I suggested interrupting the keylogging process - If the process monitored one user account and another account were encrypted - it might accomplish the desired result of not being logged. Attempting this in a sandboxed environment rather than just doing it cuts down on the risk in case it doesn't.
– user192527
Nov 30 at 7:25
If you are running under a different user, then there's no need to encrypt anything or use sandboxes. For Linux (since you mentioned Linux), individual users are isolated from each other and X11-based keyloggers will not work. However, if the hardware is controlled by someone malicious, then even encryption and a sandboxed terminal wouldn't help.
– forest
Nov 30 at 7:27
I suggested testing the idea in a sandbox. The main goal is to interrupt the keylogger if possible and if not to try to obfuscate by using other accounts etc.
– user192527
Nov 30 at 7:36
1
There are hardware keyloggers. This answer assume there is some "process" to "interrupt," which is totally wrong. It might mitigate one very specific risk, but it completely ignores other serious risks.
– David Conrad
yesterday
|
show 2 more comments
11 Answers
11
active
oldest
votes
11 Answers
11
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
86
down vote
This is an interesting question!
The rule of thumb is that if someone else has control of the device (and they're determined enough), they will always be able to monitor and modify all of your actions on the device.
We can (to a somewhat limited extent) get around this though! Two-factor authentication can be used to ensure that even if someone has your password, they cannot get into your account without also having access to a separate device (owned and controlled by you).
Keep in mind that once you log in, the computer ultimately has control over your interaction with the website, and as a result it could trivially see everything you do on the site and, less trivially, modify your requests to the site (including not logging you out properly when you're done, and potentially changing your login details to lock you out of your own account).
This all depends on how worried you are about being attacked - if you're just logging into Facebook on a friends computer, you can probably trust that when you hit "Log Out", it actually logs you out. If you're logging into your bank, however, you may want to stick to devices you control.
Additionally, consider the following, via user TemporalWolf
Some websites allow for the generation of single-use one time passwords which sidesteps any sort of password logging... as you mentioned, this doesn't stop them from mucking with the now authenticated session.
2
"you can probably trust that when you hit "Log Out", it actually logs you out." Unless your friend unknowingly has malware on their computer.
– Qwertie
Nov 30 at 5:07
12
Since this is saying that someone else having control of a device ensures they will always be able to monitor actions that take place on it, it is the only correct answer.
– forest
Nov 30 at 7:25
@NotThatGuy I think if you submit an edit request?
– Cowthulhu
2 days ago
3
The issue with 2FA is that if indeed the attacker did have a keylogger and indeed modified the requests to the website(s) to essentially block a logout, they would then be able to change your account password/2FA settings having keylogged your password when you logged in. I don't know of any services that require 2FA to change the password once already authenticated. So that's an interesting dilemma.
– Chris Cirefice
2 days ago
2
"If you're entering missile launch codes however, you may want to stick to devices you control." -- aren't those pretty much a textbook example of immunity to replay attacks? You can't kick off global thermonuclear war twice.
– Steve Jessop
yesterday
|
show 4 more comments
up vote
86
down vote
This is an interesting question!
The rule of thumb is that if someone else has control of the device (and they're determined enough), they will always be able to monitor and modify all of your actions on the device.
We can (to a somewhat limited extent) get around this though! Two-factor authentication can be used to ensure that even if someone has your password, they cannot get into your account without also having access to a separate device (owned and controlled by you).
Keep in mind that once you log in, the computer ultimately has control over your interaction with the website, and as a result it could trivially see everything you do on the site and, less trivially, modify your requests to the site (including not logging you out properly when you're done, and potentially changing your login details to lock you out of your own account).
This all depends on how worried you are about being attacked - if you're just logging into Facebook on a friends computer, you can probably trust that when you hit "Log Out", it actually logs you out. If you're logging into your bank, however, you may want to stick to devices you control.
Additionally, consider the following, via user TemporalWolf
Some websites allow for the generation of single-use one time passwords which sidesteps any sort of password logging... as you mentioned, this doesn't stop them from mucking with the now authenticated session.
2
"you can probably trust that when you hit "Log Out", it actually logs you out." Unless your friend unknowingly has malware on their computer.
– Qwertie
Nov 30 at 5:07
12
Since this is saying that someone else having control of a device ensures they will always be able to monitor actions that take place on it, it is the only correct answer.
– forest
Nov 30 at 7:25
@NotThatGuy I think if you submit an edit request?
– Cowthulhu
2 days ago
3
The issue with 2FA is that if indeed the attacker did have a keylogger and indeed modified the requests to the website(s) to essentially block a logout, they would then be able to change your account password/2FA settings having keylogged your password when you logged in. I don't know of any services that require 2FA to change the password once already authenticated. So that's an interesting dilemma.
– Chris Cirefice
2 days ago
2
"If you're entering missile launch codes however, you may want to stick to devices you control." -- aren't those pretty much a textbook example of immunity to replay attacks? You can't kick off global thermonuclear war twice.
– Steve Jessop
yesterday
|
show 4 more comments
up vote
86
down vote
up vote
86
down vote
This is an interesting question!
The rule of thumb is that if someone else has control of the device (and they're determined enough), they will always be able to monitor and modify all of your actions on the device.
We can (to a somewhat limited extent) get around this though! Two-factor authentication can be used to ensure that even if someone has your password, they cannot get into your account without also having access to a separate device (owned and controlled by you).
Keep in mind that once you log in, the computer ultimately has control over your interaction with the website, and as a result it could trivially see everything you do on the site and, less trivially, modify your requests to the site (including not logging you out properly when you're done, and potentially changing your login details to lock you out of your own account).
This all depends on how worried you are about being attacked - if you're just logging into Facebook on a friends computer, you can probably trust that when you hit "Log Out", it actually logs you out. If you're logging into your bank, however, you may want to stick to devices you control.
Additionally, consider the following, via user TemporalWolf
Some websites allow for the generation of single-use one time passwords which sidesteps any sort of password logging... as you mentioned, this doesn't stop them from mucking with the now authenticated session.
This is an interesting question!
The rule of thumb is that if someone else has control of the device (and they're determined enough), they will always be able to monitor and modify all of your actions on the device.
We can (to a somewhat limited extent) get around this though! Two-factor authentication can be used to ensure that even if someone has your password, they cannot get into your account without also having access to a separate device (owned and controlled by you).
Keep in mind that once you log in, the computer ultimately has control over your interaction with the website, and as a result it could trivially see everything you do on the site and, less trivially, modify your requests to the site (including not logging you out properly when you're done, and potentially changing your login details to lock you out of your own account).
This all depends on how worried you are about being attacked - if you're just logging into Facebook on a friends computer, you can probably trust that when you hit "Log Out", it actually logs you out. If you're logging into your bank, however, you may want to stick to devices you control.
Additionally, consider the following, via user TemporalWolf
Some websites allow for the generation of single-use one time passwords which sidesteps any sort of password logging... as you mentioned, this doesn't stop them from mucking with the now authenticated session.
edited 48 mins ago
Luc
22.2k54096
22.2k54096
answered Nov 29 at 16:55
Cowthulhu
832217
832217
2
"you can probably trust that when you hit "Log Out", it actually logs you out." Unless your friend unknowingly has malware on their computer.
– Qwertie
Nov 30 at 5:07
12
Since this is saying that someone else having control of a device ensures they will always be able to monitor actions that take place on it, it is the only correct answer.
– forest
Nov 30 at 7:25
@NotThatGuy I think if you submit an edit request?
– Cowthulhu
2 days ago
3
The issue with 2FA is that if indeed the attacker did have a keylogger and indeed modified the requests to the website(s) to essentially block a logout, they would then be able to change your account password/2FA settings having keylogged your password when you logged in. I don't know of any services that require 2FA to change the password once already authenticated. So that's an interesting dilemma.
– Chris Cirefice
2 days ago
2
"If you're entering missile launch codes however, you may want to stick to devices you control." -- aren't those pretty much a textbook example of immunity to replay attacks? You can't kick off global thermonuclear war twice.
– Steve Jessop
yesterday
|
show 4 more comments
2
"you can probably trust that when you hit "Log Out", it actually logs you out." Unless your friend unknowingly has malware on their computer.
– Qwertie
Nov 30 at 5:07
12
Since this is saying that someone else having control of a device ensures they will always be able to monitor actions that take place on it, it is the only correct answer.
– forest
Nov 30 at 7:25
@NotThatGuy I think if you submit an edit request?
– Cowthulhu
2 days ago
3
The issue with 2FA is that if indeed the attacker did have a keylogger and indeed modified the requests to the website(s) to essentially block a logout, they would then be able to change your account password/2FA settings having keylogged your password when you logged in. I don't know of any services that require 2FA to change the password once already authenticated. So that's an interesting dilemma.
– Chris Cirefice
2 days ago
2
"If you're entering missile launch codes however, you may want to stick to devices you control." -- aren't those pretty much a textbook example of immunity to replay attacks? You can't kick off global thermonuclear war twice.
– Steve Jessop
yesterday
2
2
"you can probably trust that when you hit "Log Out", it actually logs you out." Unless your friend unknowingly has malware on their computer.
– Qwertie
Nov 30 at 5:07
"you can probably trust that when you hit "Log Out", it actually logs you out." Unless your friend unknowingly has malware on their computer.
– Qwertie
Nov 30 at 5:07
12
12
Since this is saying that someone else having control of a device ensures they will always be able to monitor actions that take place on it, it is the only correct answer.
– forest
Nov 30 at 7:25
Since this is saying that someone else having control of a device ensures they will always be able to monitor actions that take place on it, it is the only correct answer.
– forest
Nov 30 at 7:25
@NotThatGuy I think if you submit an edit request?
– Cowthulhu
2 days ago
@NotThatGuy I think if you submit an edit request?
– Cowthulhu
2 days ago
3
3
The issue with 2FA is that if indeed the attacker did have a keylogger and indeed modified the requests to the website(s) to essentially block a logout, they would then be able to change your account password/2FA settings having keylogged your password when you logged in. I don't know of any services that require 2FA to change the password once already authenticated. So that's an interesting dilemma.
– Chris Cirefice
2 days ago
The issue with 2FA is that if indeed the attacker did have a keylogger and indeed modified the requests to the website(s) to essentially block a logout, they would then be able to change your account password/2FA settings having keylogged your password when you logged in. I don't know of any services that require 2FA to change the password once already authenticated. So that's an interesting dilemma.
– Chris Cirefice
2 days ago
2
2
"If you're entering missile launch codes however, you may want to stick to devices you control." -- aren't those pretty much a textbook example of immunity to replay attacks? You can't kick off global thermonuclear war twice.
– Steve Jessop
yesterday
"If you're entering missile launch codes however, you may want to stick to devices you control." -- aren't those pretty much a textbook example of immunity to replay attacks? You can't kick off global thermonuclear war twice.
– Steve Jessop
yesterday
|
show 4 more comments
up vote
28
down vote
In my practice, when I need extra security, I usually change the password on my phone (or another trusted device), then log in on the untrusted computer and after everything is done, change my password back (if possible).
This relies on the fact that changing password logs you out everywhere, for most websites. It's rather practical.
Alternatively, some websites offer a "session control" where you can force detach / terminate sessions if you want.
Besides what I said above, I also have a 128 GiB portable SSD with me, formatted to GPT and has 3 partitions: the EFI System Partition, an Ubuntu, and a Windows To Go.
While software security wasn't my concern while creating this portable SSD, it is undoubtedly a good gadget to have for the purpose. Theoretically and practically, running operating systems on such self-made pieces of storage provides a fully trusted software environment, and can 100% eliminate any software thread on the foreign machine.
As others have answered, such gadgets usually aren't effective against hardware-based intrusion, for example a key logger (unless some stupid ones require drivers to work, then you can LOL). For those things, you have better check them by looking at the hardware ports. If there's anything malicious inside the crate, then you're out of luck.
But again, it's an interpersonal question. If you're logging in on your trusted friend's computer, and the friend isn't a techie, you probably need no more actions than launching the browser in incognito or InPrivate (Internet Explorer) mode.
That's a good idea, which doesn't require special knowledge nor tools, and keeps things secure enough.
– a25bedc5-3d09-41b8-82fb-ea6c353d75ae
Nov 30 at 13:06
Having a portable SSD is surely a good idea, but looking from the other side, I would never let somebody boot my computer with his own OS.
– martinstoeckli
1 hour ago
add a comment |
up vote
28
down vote
In my practice, when I need extra security, I usually change the password on my phone (or another trusted device), then log in on the untrusted computer and after everything is done, change my password back (if possible).
This relies on the fact that changing password logs you out everywhere, for most websites. It's rather practical.
Alternatively, some websites offer a "session control" where you can force detach / terminate sessions if you want.
Besides what I said above, I also have a 128 GiB portable SSD with me, formatted to GPT and has 3 partitions: the EFI System Partition, an Ubuntu, and a Windows To Go.
While software security wasn't my concern while creating this portable SSD, it is undoubtedly a good gadget to have for the purpose. Theoretically and practically, running operating systems on such self-made pieces of storage provides a fully trusted software environment, and can 100% eliminate any software thread on the foreign machine.
As others have answered, such gadgets usually aren't effective against hardware-based intrusion, for example a key logger (unless some stupid ones require drivers to work, then you can LOL). For those things, you have better check them by looking at the hardware ports. If there's anything malicious inside the crate, then you're out of luck.
But again, it's an interpersonal question. If you're logging in on your trusted friend's computer, and the friend isn't a techie, you probably need no more actions than launching the browser in incognito or InPrivate (Internet Explorer) mode.
That's a good idea, which doesn't require special knowledge nor tools, and keeps things secure enough.
– a25bedc5-3d09-41b8-82fb-ea6c353d75ae
Nov 30 at 13:06
Having a portable SSD is surely a good idea, but looking from the other side, I would never let somebody boot my computer with his own OS.
– martinstoeckli
1 hour ago
add a comment |
up vote
28
down vote
up vote
28
down vote
In my practice, when I need extra security, I usually change the password on my phone (or another trusted device), then log in on the untrusted computer and after everything is done, change my password back (if possible).
This relies on the fact that changing password logs you out everywhere, for most websites. It's rather practical.
Alternatively, some websites offer a "session control" where you can force detach / terminate sessions if you want.
Besides what I said above, I also have a 128 GiB portable SSD with me, formatted to GPT and has 3 partitions: the EFI System Partition, an Ubuntu, and a Windows To Go.
While software security wasn't my concern while creating this portable SSD, it is undoubtedly a good gadget to have for the purpose. Theoretically and practically, running operating systems on such self-made pieces of storage provides a fully trusted software environment, and can 100% eliminate any software thread on the foreign machine.
As others have answered, such gadgets usually aren't effective against hardware-based intrusion, for example a key logger (unless some stupid ones require drivers to work, then you can LOL). For those things, you have better check them by looking at the hardware ports. If there's anything malicious inside the crate, then you're out of luck.
But again, it's an interpersonal question. If you're logging in on your trusted friend's computer, and the friend isn't a techie, you probably need no more actions than launching the browser in incognito or InPrivate (Internet Explorer) mode.
In my practice, when I need extra security, I usually change the password on my phone (or another trusted device), then log in on the untrusted computer and after everything is done, change my password back (if possible).
This relies on the fact that changing password logs you out everywhere, for most websites. It's rather practical.
Alternatively, some websites offer a "session control" where you can force detach / terminate sessions if you want.
Besides what I said above, I also have a 128 GiB portable SSD with me, formatted to GPT and has 3 partitions: the EFI System Partition, an Ubuntu, and a Windows To Go.
While software security wasn't my concern while creating this portable SSD, it is undoubtedly a good gadget to have for the purpose. Theoretically and practically, running operating systems on such self-made pieces of storage provides a fully trusted software environment, and can 100% eliminate any software thread on the foreign machine.
As others have answered, such gadgets usually aren't effective against hardware-based intrusion, for example a key logger (unless some stupid ones require drivers to work, then you can LOL). For those things, you have better check them by looking at the hardware ports. If there's anything malicious inside the crate, then you're out of luck.
But again, it's an interpersonal question. If you're logging in on your trusted friend's computer, and the friend isn't a techie, you probably need no more actions than launching the browser in incognito or InPrivate (Internet Explorer) mode.
edited 3 hours ago
answered Nov 30 at 3:28
iBug
45018
45018
That's a good idea, which doesn't require special knowledge nor tools, and keeps things secure enough.
– a25bedc5-3d09-41b8-82fb-ea6c353d75ae
Nov 30 at 13:06
Having a portable SSD is surely a good idea, but looking from the other side, I would never let somebody boot my computer with his own OS.
– martinstoeckli
1 hour ago
add a comment |
That's a good idea, which doesn't require special knowledge nor tools, and keeps things secure enough.
– a25bedc5-3d09-41b8-82fb-ea6c353d75ae
Nov 30 at 13:06
Having a portable SSD is surely a good idea, but looking from the other side, I would never let somebody boot my computer with his own OS.
– martinstoeckli
1 hour ago
That's a good idea, which doesn't require special knowledge nor tools, and keeps things secure enough.
– a25bedc5-3d09-41b8-82fb-ea6c353d75ae
Nov 30 at 13:06
That's a good idea, which doesn't require special knowledge nor tools, and keeps things secure enough.
– a25bedc5-3d09-41b8-82fb-ea6c353d75ae
Nov 30 at 13:06
Having a portable SSD is surely a good idea, but looking from the other side, I would never let somebody boot my computer with his own OS.
– martinstoeckli
1 hour ago
Having a portable SSD is surely a good idea, but looking from the other side, I would never let somebody boot my computer with his own OS.
– martinstoeckli
1 hour ago
add a comment |
up vote
16
down vote
Use SQRL
If a website supports SQRL (https://www.grc.com/sqrl/sqrl.htm) then you have the option of having it display a QR code in the computer's browser that you let the SQRL app in your cell phone read, and thereby negotiate the authentication out of band.
SQRL is not yet widely adopted, but this precise use case was designed in from the beginning. (The other main use case is a SQRL app on your computer working in concert with the browser). In neither case is a password transmitted; SQRL uses Elliptic Curve public/private key technology to sign a nonce presented by the server to prove the user has the private key associated with the public key stored on the server in the user's account info.
It's a very interesting method! I was not aware of it at all. Thanks for mentioning it.
– today
Nov 29 at 21:54
3
The concept is definitely interesting, although it may need some (more) peer review and usability testing in practice. Anyway, this solution is not practical today, and the author of the question seemed to ask mainly as a user and not as a developer. Try using this method with Google, Amazon or Facebook today.
– caw
Nov 30 at 1:28
Unfortunately, the question doesn't specify what "my account" means - on your own website? On Facebook? That's a difference because in one you control the login mechanism and on the other you don't.
– Tom
Nov 30 at 5:10
18
security.blogoverflow.com/2013/10/debunking-sqrl - A well designed solution such as U2F is probably better than what Steve Gibson (which is largely a crank) managed to sting together by himself.
– vidarlo
Nov 30 at 6:41
What about something like the WhatsApp Desktop App, where you login by scanning a QR code and can log out from your smartphone?
– pytago
Nov 30 at 10:47
|
show 3 more comments
up vote
16
down vote
Use SQRL
If a website supports SQRL (https://www.grc.com/sqrl/sqrl.htm) then you have the option of having it display a QR code in the computer's browser that you let the SQRL app in your cell phone read, and thereby negotiate the authentication out of band.
SQRL is not yet widely adopted, but this precise use case was designed in from the beginning. (The other main use case is a SQRL app on your computer working in concert with the browser). In neither case is a password transmitted; SQRL uses Elliptic Curve public/private key technology to sign a nonce presented by the server to prove the user has the private key associated with the public key stored on the server in the user's account info.
It's a very interesting method! I was not aware of it at all. Thanks for mentioning it.
– today
Nov 29 at 21:54
3
The concept is definitely interesting, although it may need some (more) peer review and usability testing in practice. Anyway, this solution is not practical today, and the author of the question seemed to ask mainly as a user and not as a developer. Try using this method with Google, Amazon or Facebook today.
– caw
Nov 30 at 1:28
Unfortunately, the question doesn't specify what "my account" means - on your own website? On Facebook? That's a difference because in one you control the login mechanism and on the other you don't.
– Tom
Nov 30 at 5:10
18
security.blogoverflow.com/2013/10/debunking-sqrl - A well designed solution such as U2F is probably better than what Steve Gibson (which is largely a crank) managed to sting together by himself.
– vidarlo
Nov 30 at 6:41
What about something like the WhatsApp Desktop App, where you login by scanning a QR code and can log out from your smartphone?
– pytago
Nov 30 at 10:47
|
show 3 more comments
up vote
16
down vote
up vote
16
down vote
Use SQRL
If a website supports SQRL (https://www.grc.com/sqrl/sqrl.htm) then you have the option of having it display a QR code in the computer's browser that you let the SQRL app in your cell phone read, and thereby negotiate the authentication out of band.
SQRL is not yet widely adopted, but this precise use case was designed in from the beginning. (The other main use case is a SQRL app on your computer working in concert with the browser). In neither case is a password transmitted; SQRL uses Elliptic Curve public/private key technology to sign a nonce presented by the server to prove the user has the private key associated with the public key stored on the server in the user's account info.
Use SQRL
If a website supports SQRL (https://www.grc.com/sqrl/sqrl.htm) then you have the option of having it display a QR code in the computer's browser that you let the SQRL app in your cell phone read, and thereby negotiate the authentication out of band.
SQRL is not yet widely adopted, but this precise use case was designed in from the beginning. (The other main use case is a SQRL app on your computer working in concert with the browser). In neither case is a password transmitted; SQRL uses Elliptic Curve public/private key technology to sign a nonce presented by the server to prove the user has the private key associated with the public key stored on the server in the user's account info.
answered Nov 29 at 21:40
Monty Harder
46636
46636
It's a very interesting method! I was not aware of it at all. Thanks for mentioning it.
– today
Nov 29 at 21:54
3
The concept is definitely interesting, although it may need some (more) peer review and usability testing in practice. Anyway, this solution is not practical today, and the author of the question seemed to ask mainly as a user and not as a developer. Try using this method with Google, Amazon or Facebook today.
– caw
Nov 30 at 1:28
Unfortunately, the question doesn't specify what "my account" means - on your own website? On Facebook? That's a difference because in one you control the login mechanism and on the other you don't.
– Tom
Nov 30 at 5:10
18
security.blogoverflow.com/2013/10/debunking-sqrl - A well designed solution such as U2F is probably better than what Steve Gibson (which is largely a crank) managed to sting together by himself.
– vidarlo
Nov 30 at 6:41
What about something like the WhatsApp Desktop App, where you login by scanning a QR code and can log out from your smartphone?
– pytago
Nov 30 at 10:47
|
show 3 more comments
It's a very interesting method! I was not aware of it at all. Thanks for mentioning it.
– today
Nov 29 at 21:54
3
The concept is definitely interesting, although it may need some (more) peer review and usability testing in practice. Anyway, this solution is not practical today, and the author of the question seemed to ask mainly as a user and not as a developer. Try using this method with Google, Amazon or Facebook today.
– caw
Nov 30 at 1:28
Unfortunately, the question doesn't specify what "my account" means - on your own website? On Facebook? That's a difference because in one you control the login mechanism and on the other you don't.
– Tom
Nov 30 at 5:10
18
security.blogoverflow.com/2013/10/debunking-sqrl - A well designed solution such as U2F is probably better than what Steve Gibson (which is largely a crank) managed to sting together by himself.
– vidarlo
Nov 30 at 6:41
What about something like the WhatsApp Desktop App, where you login by scanning a QR code and can log out from your smartphone?
– pytago
Nov 30 at 10:47
It's a very interesting method! I was not aware of it at all. Thanks for mentioning it.
– today
Nov 29 at 21:54
It's a very interesting method! I was not aware of it at all. Thanks for mentioning it.
– today
Nov 29 at 21:54
3
3
The concept is definitely interesting, although it may need some (more) peer review and usability testing in practice. Anyway, this solution is not practical today, and the author of the question seemed to ask mainly as a user and not as a developer. Try using this method with Google, Amazon or Facebook today.
– caw
Nov 30 at 1:28
The concept is definitely interesting, although it may need some (more) peer review and usability testing in practice. Anyway, this solution is not practical today, and the author of the question seemed to ask mainly as a user and not as a developer. Try using this method with Google, Amazon or Facebook today.
– caw
Nov 30 at 1:28
Unfortunately, the question doesn't specify what "my account" means - on your own website? On Facebook? That's a difference because in one you control the login mechanism and on the other you don't.
– Tom
Nov 30 at 5:10
Unfortunately, the question doesn't specify what "my account" means - on your own website? On Facebook? That's a difference because in one you control the login mechanism and on the other you don't.
– Tom
Nov 30 at 5:10
18
18
security.blogoverflow.com/2013/10/debunking-sqrl - A well designed solution such as U2F is probably better than what Steve Gibson (which is largely a crank) managed to sting together by himself.
– vidarlo
Nov 30 at 6:41
security.blogoverflow.com/2013/10/debunking-sqrl - A well designed solution such as U2F is probably better than what Steve Gibson (which is largely a crank) managed to sting together by himself.
– vidarlo
Nov 30 at 6:41
What about something like the WhatsApp Desktop App, where you login by scanning a QR code and can log out from your smartphone?
– pytago
Nov 30 at 10:47
What about something like the WhatsApp Desktop App, where you login by scanning a QR code and can log out from your smartphone?
– pytago
Nov 30 at 10:47
|
show 3 more comments
up vote
13
down vote
If you encounter this situation regularly, try the following:
Create a Tails live USB stick. Tails is a Linux operating system designed to run off a USB, which can be booted on most computers. Using Tails means that you don't need to worry about any software that the hostile computer may have installed. Because you are completely bypassing it from boot.
Use the on-screen keyboard. You should cover this with your hand as you type, to prevent anyone from observing. This defends against hardware based key-loggers. Note that you don't need to worry about screen-recording software, because you are running Tails, which means that you have full control over all software running on the system.
Edit:
As @Xen2050 mentioned in the comments, you can also achieve this with other operating systems which may be more user friendly. For instance, here are instructions for creating a live Ubuntu Linux USB on Windows, Mac or Ubuntu. And here are the instructions for accessing the on-screen keyboard on Ubuntu.
Potential weaknesses of this method:
This method is vulnerable to the following:
- Hardware based screen recording. It is possible to insert a device between the computer and the screen which will record everything sent to the screen. For example, this one. To protect against this, inspect the cable, and make sure there are no devices between the computer and the screen. Note however, that it is possible to install internal screen recording devices which would be much more difficult to detect. If you suspect this, then you may be able to circumvent them by unplugging the screen from the back of the computer, and reconnecting it to a different port.
- Malicious firmware, BIOS, rootkit, etc. This is probably the most difficult vulnerability to defend against. If you suspect that the computer you are using has malicious firmware, don't use it! Find another way to login to the website, or don't login to it.
New contributor
3
For unknown hardware, and since you don't seem to need the network properties of TAILS, using a more friendly and bootable distro like Mint or Ubuntu or other beginner-friendly one might be a lot more successful; TAILS might not have nearly as much luck booting on "new" unknown devices
– Xen2050
Nov 30 at 11:41
@Xen2050 Windows To Go is also a good alternative!
– iBug
Nov 30 at 13:19
Good point @Xen2050
– daviewales
2 days ago
UnderHardware based recording
, you could actually mention a hardware based keystroke logger that may be embedded in keyboard itself. This seems more likely if the person who owns the computer is trying to steal the OP's passwords.
– Private
2 days ago
1
"Using the on-screen keyboard defends against hardware based key-loggers" - unless they include a mouse logger (for click coordinates etc) :-)
– Bergi
23 hours ago
|
show 4 more comments
up vote
13
down vote
If you encounter this situation regularly, try the following:
Create a Tails live USB stick. Tails is a Linux operating system designed to run off a USB, which can be booted on most computers. Using Tails means that you don't need to worry about any software that the hostile computer may have installed. Because you are completely bypassing it from boot.
Use the on-screen keyboard. You should cover this with your hand as you type, to prevent anyone from observing. This defends against hardware based key-loggers. Note that you don't need to worry about screen-recording software, because you are running Tails, which means that you have full control over all software running on the system.
Edit:
As @Xen2050 mentioned in the comments, you can also achieve this with other operating systems which may be more user friendly. For instance, here are instructions for creating a live Ubuntu Linux USB on Windows, Mac or Ubuntu. And here are the instructions for accessing the on-screen keyboard on Ubuntu.
Potential weaknesses of this method:
This method is vulnerable to the following:
- Hardware based screen recording. It is possible to insert a device between the computer and the screen which will record everything sent to the screen. For example, this one. To protect against this, inspect the cable, and make sure there are no devices between the computer and the screen. Note however, that it is possible to install internal screen recording devices which would be much more difficult to detect. If you suspect this, then you may be able to circumvent them by unplugging the screen from the back of the computer, and reconnecting it to a different port.
- Malicious firmware, BIOS, rootkit, etc. This is probably the most difficult vulnerability to defend against. If you suspect that the computer you are using has malicious firmware, don't use it! Find another way to login to the website, or don't login to it.
New contributor
3
For unknown hardware, and since you don't seem to need the network properties of TAILS, using a more friendly and bootable distro like Mint or Ubuntu or other beginner-friendly one might be a lot more successful; TAILS might not have nearly as much luck booting on "new" unknown devices
– Xen2050
Nov 30 at 11:41
@Xen2050 Windows To Go is also a good alternative!
– iBug
Nov 30 at 13:19
Good point @Xen2050
– daviewales
2 days ago
UnderHardware based recording
, you could actually mention a hardware based keystroke logger that may be embedded in keyboard itself. This seems more likely if the person who owns the computer is trying to steal the OP's passwords.
– Private
2 days ago
1
"Using the on-screen keyboard defends against hardware based key-loggers" - unless they include a mouse logger (for click coordinates etc) :-)
– Bergi
23 hours ago
|
show 4 more comments
up vote
13
down vote
up vote
13
down vote
If you encounter this situation regularly, try the following:
Create a Tails live USB stick. Tails is a Linux operating system designed to run off a USB, which can be booted on most computers. Using Tails means that you don't need to worry about any software that the hostile computer may have installed. Because you are completely bypassing it from boot.
Use the on-screen keyboard. You should cover this with your hand as you type, to prevent anyone from observing. This defends against hardware based key-loggers. Note that you don't need to worry about screen-recording software, because you are running Tails, which means that you have full control over all software running on the system.
Edit:
As @Xen2050 mentioned in the comments, you can also achieve this with other operating systems which may be more user friendly. For instance, here are instructions for creating a live Ubuntu Linux USB on Windows, Mac or Ubuntu. And here are the instructions for accessing the on-screen keyboard on Ubuntu.
Potential weaknesses of this method:
This method is vulnerable to the following:
- Hardware based screen recording. It is possible to insert a device between the computer and the screen which will record everything sent to the screen. For example, this one. To protect against this, inspect the cable, and make sure there are no devices between the computer and the screen. Note however, that it is possible to install internal screen recording devices which would be much more difficult to detect. If you suspect this, then you may be able to circumvent them by unplugging the screen from the back of the computer, and reconnecting it to a different port.
- Malicious firmware, BIOS, rootkit, etc. This is probably the most difficult vulnerability to defend against. If you suspect that the computer you are using has malicious firmware, don't use it! Find another way to login to the website, or don't login to it.
New contributor
If you encounter this situation regularly, try the following:
Create a Tails live USB stick. Tails is a Linux operating system designed to run off a USB, which can be booted on most computers. Using Tails means that you don't need to worry about any software that the hostile computer may have installed. Because you are completely bypassing it from boot.
Use the on-screen keyboard. You should cover this with your hand as you type, to prevent anyone from observing. This defends against hardware based key-loggers. Note that you don't need to worry about screen-recording software, because you are running Tails, which means that you have full control over all software running on the system.
Edit:
As @Xen2050 mentioned in the comments, you can also achieve this with other operating systems which may be more user friendly. For instance, here are instructions for creating a live Ubuntu Linux USB on Windows, Mac or Ubuntu. And here are the instructions for accessing the on-screen keyboard on Ubuntu.
Potential weaknesses of this method:
This method is vulnerable to the following:
- Hardware based screen recording. It is possible to insert a device between the computer and the screen which will record everything sent to the screen. For example, this one. To protect against this, inspect the cable, and make sure there are no devices between the computer and the screen. Note however, that it is possible to install internal screen recording devices which would be much more difficult to detect. If you suspect this, then you may be able to circumvent them by unplugging the screen from the back of the computer, and reconnecting it to a different port.
- Malicious firmware, BIOS, rootkit, etc. This is probably the most difficult vulnerability to defend against. If you suspect that the computer you are using has malicious firmware, don't use it! Find another way to login to the website, or don't login to it.
New contributor
edited 2 days ago
New contributor
answered Nov 30 at 7:00
daviewales
23317
23317
New contributor
New contributor
3
For unknown hardware, and since you don't seem to need the network properties of TAILS, using a more friendly and bootable distro like Mint or Ubuntu or other beginner-friendly one might be a lot more successful; TAILS might not have nearly as much luck booting on "new" unknown devices
– Xen2050
Nov 30 at 11:41
@Xen2050 Windows To Go is also a good alternative!
– iBug
Nov 30 at 13:19
Good point @Xen2050
– daviewales
2 days ago
UnderHardware based recording
, you could actually mention a hardware based keystroke logger that may be embedded in keyboard itself. This seems more likely if the person who owns the computer is trying to steal the OP's passwords.
– Private
2 days ago
1
"Using the on-screen keyboard defends against hardware based key-loggers" - unless they include a mouse logger (for click coordinates etc) :-)
– Bergi
23 hours ago
|
show 4 more comments
3
For unknown hardware, and since you don't seem to need the network properties of TAILS, using a more friendly and bootable distro like Mint or Ubuntu or other beginner-friendly one might be a lot more successful; TAILS might not have nearly as much luck booting on "new" unknown devices
– Xen2050
Nov 30 at 11:41
@Xen2050 Windows To Go is also a good alternative!
– iBug
Nov 30 at 13:19
Good point @Xen2050
– daviewales
2 days ago
UnderHardware based recording
, you could actually mention a hardware based keystroke logger that may be embedded in keyboard itself. This seems more likely if the person who owns the computer is trying to steal the OP's passwords.
– Private
2 days ago
1
"Using the on-screen keyboard defends against hardware based key-loggers" - unless they include a mouse logger (for click coordinates etc) :-)
– Bergi
23 hours ago
3
3
For unknown hardware, and since you don't seem to need the network properties of TAILS, using a more friendly and bootable distro like Mint or Ubuntu or other beginner-friendly one might be a lot more successful; TAILS might not have nearly as much luck booting on "new" unknown devices
– Xen2050
Nov 30 at 11:41
For unknown hardware, and since you don't seem to need the network properties of TAILS, using a more friendly and bootable distro like Mint or Ubuntu or other beginner-friendly one might be a lot more successful; TAILS might not have nearly as much luck booting on "new" unknown devices
– Xen2050
Nov 30 at 11:41
@Xen2050 Windows To Go is also a good alternative!
– iBug
Nov 30 at 13:19
@Xen2050 Windows To Go is also a good alternative!
– iBug
Nov 30 at 13:19
Good point @Xen2050
– daviewales
2 days ago
Good point @Xen2050
– daviewales
2 days ago
Under
Hardware based recording
, you could actually mention a hardware based keystroke logger that may be embedded in keyboard itself. This seems more likely if the person who owns the computer is trying to steal the OP's passwords.– Private
2 days ago
Under
Hardware based recording
, you could actually mention a hardware based keystroke logger that may be embedded in keyboard itself. This seems more likely if the person who owns the computer is trying to steal the OP's passwords.– Private
2 days ago
1
1
"Using the on-screen keyboard defends against hardware based key-loggers" - unless they include a mouse logger (for click coordinates etc) :-)
– Bergi
23 hours ago
"Using the on-screen keyboard defends against hardware based key-loggers" - unless they include a mouse logger (for click coordinates etc) :-)
– Bergi
23 hours ago
|
show 4 more comments
up vote
5
down vote
There is one thing you can do on sites that allow it (Google being one): Use a "have" factor of authentication, such as TOTP or a mobile app to approve logins. You don't have to use 2FA - that can be your only factor. I have some of my non-critical servers set to allow password OR totp, so I can log in with one or the other, without needing both. While, as others pointed out, that doesn't make you completely secure (after you log in the attacker could disable input and do whatever they want now that you're logged in), it prevents disclosing any passwords.
add a comment |
up vote
5
down vote
There is one thing you can do on sites that allow it (Google being one): Use a "have" factor of authentication, such as TOTP or a mobile app to approve logins. You don't have to use 2FA - that can be your only factor. I have some of my non-critical servers set to allow password OR totp, so I can log in with one or the other, without needing both. While, as others pointed out, that doesn't make you completely secure (after you log in the attacker could disable input and do whatever they want now that you're logged in), it prevents disclosing any passwords.
add a comment |
up vote
5
down vote
up vote
5
down vote
There is one thing you can do on sites that allow it (Google being one): Use a "have" factor of authentication, such as TOTP or a mobile app to approve logins. You don't have to use 2FA - that can be your only factor. I have some of my non-critical servers set to allow password OR totp, so I can log in with one or the other, without needing both. While, as others pointed out, that doesn't make you completely secure (after you log in the attacker could disable input and do whatever they want now that you're logged in), it prevents disclosing any passwords.
There is one thing you can do on sites that allow it (Google being one): Use a "have" factor of authentication, such as TOTP or a mobile app to approve logins. You don't have to use 2FA - that can be your only factor. I have some of my non-critical servers set to allow password OR totp, so I can log in with one or the other, without needing both. While, as others pointed out, that doesn't make you completely secure (after you log in the attacker could disable input and do whatever they want now that you're logged in), it prevents disclosing any passwords.
answered Nov 29 at 20:26
Duncan X Simpson
230210
230210
add a comment |
add a comment |
up vote
4
down vote
It is a major PIA, but relatively secure with respect to protecting your password. Mostly because it is such a PIA that nobody is likely to put together what is needed to capture it. Which means the caveat about security through obscurity likely applies here...
- Open text editor of choice.
- Type out the full alphabet in both upper and lower case.
- type out the full range of numbers and symbols that are available.
- Copy and paste letter by letter to enter your password on the web form.
- As an added layer of obfuscation, don't grab the letters in the same order as the final password
I can think of a few techniques where I might be able to capture the password of someone using this technique, but none of them are what I would consider easy or straightforward.
Also worth noting that this technique was originally suggested as a counter measure by my CEH instructor. It is not perfect, but it is a semi-decent option that doesn't require much in the way of prior preparation.
New contributor
16
Surely an off-the-shelf screen recorder would counter this?
– Draconis
Nov 29 at 20:20
Interesting solution, especially that I see it was recommended by your CEH instructor! Actually, I was thinking about such a solution before you post this but then I thought maybe it is a bit weird! Of course, as @Draconis mentioned, an screen recorder might be able to counter this as well.
– today
Nov 29 at 20:40
3
@Draconis probably, hadn't considered that option but high chance it would work. I had my doubts when this was suggested by the instructor, but it is better than nothing, and does protect against most keystroke loggers. But if I were wanting to capture someone's login credentials for a web site I would use a browser extension or proxy to log the post data. Making all of this worthless...
– Rozwel
Nov 29 at 20:44
5
A clipboard logger would work very well up until step 5. Most packaged malware I've seen includes a clipboard logger with keylogger.
– Nathan Goings
Nov 29 at 21:39
1
@NathanGoings It's not like there would be that many permutations. Checking every combination one by one seems trivial.
– JoL
Nov 29 at 21:43
|
show 4 more comments
up vote
4
down vote
It is a major PIA, but relatively secure with respect to protecting your password. Mostly because it is such a PIA that nobody is likely to put together what is needed to capture it. Which means the caveat about security through obscurity likely applies here...
- Open text editor of choice.
- Type out the full alphabet in both upper and lower case.
- type out the full range of numbers and symbols that are available.
- Copy and paste letter by letter to enter your password on the web form.
- As an added layer of obfuscation, don't grab the letters in the same order as the final password
I can think of a few techniques where I might be able to capture the password of someone using this technique, but none of them are what I would consider easy or straightforward.
Also worth noting that this technique was originally suggested as a counter measure by my CEH instructor. It is not perfect, but it is a semi-decent option that doesn't require much in the way of prior preparation.
New contributor
16
Surely an off-the-shelf screen recorder would counter this?
– Draconis
Nov 29 at 20:20
Interesting solution, especially that I see it was recommended by your CEH instructor! Actually, I was thinking about such a solution before you post this but then I thought maybe it is a bit weird! Of course, as @Draconis mentioned, an screen recorder might be able to counter this as well.
– today
Nov 29 at 20:40
3
@Draconis probably, hadn't considered that option but high chance it would work. I had my doubts when this was suggested by the instructor, but it is better than nothing, and does protect against most keystroke loggers. But if I were wanting to capture someone's login credentials for a web site I would use a browser extension or proxy to log the post data. Making all of this worthless...
– Rozwel
Nov 29 at 20:44
5
A clipboard logger would work very well up until step 5. Most packaged malware I've seen includes a clipboard logger with keylogger.
– Nathan Goings
Nov 29 at 21:39
1
@NathanGoings It's not like there would be that many permutations. Checking every combination one by one seems trivial.
– JoL
Nov 29 at 21:43
|
show 4 more comments
up vote
4
down vote
up vote
4
down vote
It is a major PIA, but relatively secure with respect to protecting your password. Mostly because it is such a PIA that nobody is likely to put together what is needed to capture it. Which means the caveat about security through obscurity likely applies here...
- Open text editor of choice.
- Type out the full alphabet in both upper and lower case.
- type out the full range of numbers and symbols that are available.
- Copy and paste letter by letter to enter your password on the web form.
- As an added layer of obfuscation, don't grab the letters in the same order as the final password
I can think of a few techniques where I might be able to capture the password of someone using this technique, but none of them are what I would consider easy or straightforward.
Also worth noting that this technique was originally suggested as a counter measure by my CEH instructor. It is not perfect, but it is a semi-decent option that doesn't require much in the way of prior preparation.
New contributor
It is a major PIA, but relatively secure with respect to protecting your password. Mostly because it is such a PIA that nobody is likely to put together what is needed to capture it. Which means the caveat about security through obscurity likely applies here...
- Open text editor of choice.
- Type out the full alphabet in both upper and lower case.
- type out the full range of numbers and symbols that are available.
- Copy and paste letter by letter to enter your password on the web form.
- As an added layer of obfuscation, don't grab the letters in the same order as the final password
I can think of a few techniques where I might be able to capture the password of someone using this technique, but none of them are what I would consider easy or straightforward.
Also worth noting that this technique was originally suggested as a counter measure by my CEH instructor. It is not perfect, but it is a semi-decent option that doesn't require much in the way of prior preparation.
New contributor
New contributor
answered Nov 29 at 20:15
Rozwel
1732
1732
New contributor
New contributor
16
Surely an off-the-shelf screen recorder would counter this?
– Draconis
Nov 29 at 20:20
Interesting solution, especially that I see it was recommended by your CEH instructor! Actually, I was thinking about such a solution before you post this but then I thought maybe it is a bit weird! Of course, as @Draconis mentioned, an screen recorder might be able to counter this as well.
– today
Nov 29 at 20:40
3
@Draconis probably, hadn't considered that option but high chance it would work. I had my doubts when this was suggested by the instructor, but it is better than nothing, and does protect against most keystroke loggers. But if I were wanting to capture someone's login credentials for a web site I would use a browser extension or proxy to log the post data. Making all of this worthless...
– Rozwel
Nov 29 at 20:44
5
A clipboard logger would work very well up until step 5. Most packaged malware I've seen includes a clipboard logger with keylogger.
– Nathan Goings
Nov 29 at 21:39
1
@NathanGoings It's not like there would be that many permutations. Checking every combination one by one seems trivial.
– JoL
Nov 29 at 21:43
|
show 4 more comments
16
Surely an off-the-shelf screen recorder would counter this?
– Draconis
Nov 29 at 20:20
Interesting solution, especially that I see it was recommended by your CEH instructor! Actually, I was thinking about such a solution before you post this but then I thought maybe it is a bit weird! Of course, as @Draconis mentioned, an screen recorder might be able to counter this as well.
– today
Nov 29 at 20:40
3
@Draconis probably, hadn't considered that option but high chance it would work. I had my doubts when this was suggested by the instructor, but it is better than nothing, and does protect against most keystroke loggers. But if I were wanting to capture someone's login credentials for a web site I would use a browser extension or proxy to log the post data. Making all of this worthless...
– Rozwel
Nov 29 at 20:44
5
A clipboard logger would work very well up until step 5. Most packaged malware I've seen includes a clipboard logger with keylogger.
– Nathan Goings
Nov 29 at 21:39
1
@NathanGoings It's not like there would be that many permutations. Checking every combination one by one seems trivial.
– JoL
Nov 29 at 21:43
16
16
Surely an off-the-shelf screen recorder would counter this?
– Draconis
Nov 29 at 20:20
Surely an off-the-shelf screen recorder would counter this?
– Draconis
Nov 29 at 20:20
Interesting solution, especially that I see it was recommended by your CEH instructor! Actually, I was thinking about such a solution before you post this but then I thought maybe it is a bit weird! Of course, as @Draconis mentioned, an screen recorder might be able to counter this as well.
– today
Nov 29 at 20:40
Interesting solution, especially that I see it was recommended by your CEH instructor! Actually, I was thinking about such a solution before you post this but then I thought maybe it is a bit weird! Of course, as @Draconis mentioned, an screen recorder might be able to counter this as well.
– today
Nov 29 at 20:40
3
3
@Draconis probably, hadn't considered that option but high chance it would work. I had my doubts when this was suggested by the instructor, but it is better than nothing, and does protect against most keystroke loggers. But if I were wanting to capture someone's login credentials for a web site I would use a browser extension or proxy to log the post data. Making all of this worthless...
– Rozwel
Nov 29 at 20:44
@Draconis probably, hadn't considered that option but high chance it would work. I had my doubts when this was suggested by the instructor, but it is better than nothing, and does protect against most keystroke loggers. But if I were wanting to capture someone's login credentials for a web site I would use a browser extension or proxy to log the post data. Making all of this worthless...
– Rozwel
Nov 29 at 20:44
5
5
A clipboard logger would work very well up until step 5. Most packaged malware I've seen includes a clipboard logger with keylogger.
– Nathan Goings
Nov 29 at 21:39
A clipboard logger would work very well up until step 5. Most packaged malware I've seen includes a clipboard logger with keylogger.
– Nathan Goings
Nov 29 at 21:39
1
1
@NathanGoings It's not like there would be that many permutations. Checking every combination one by one seems trivial.
– JoL
Nov 29 at 21:43
@NathanGoings It's not like there would be that many permutations. Checking every combination one by one seems trivial.
– JoL
Nov 29 at 21:43
|
show 4 more comments
up vote
3
down vote
The best way to protect yourself is to tell the person that you are not comfortable entering your password at their computer.
If you have probable cause or general paranoia then do not perform unsafe actions.
Expecting to thoroughly detect and/or mitigate all threat models in a matter of seconds is ludicrous.
What is the threat model anyways? Do you not trust the person? Do you not trust the computer? Are you trying to prevent their access from the particular website which you are logging in to? Are you trying to prevent the discovery of your password because you use it for a hundred other services such as personal banking? Are you simply trying to figure out a universal way to not be compromised regardless of which foreign computer you encounter in the future? Are you trying to prevent the details of the post-login screen from being recorded? You may wish to sweep the area for any hidden video recording devices in the ceiling.
I think the OP is worrying about foreign immigration officers asking him to show his social media
– usr-local-ΕΨΗΕΛΩΝ
5 hours ago
add a comment |
up vote
3
down vote
The best way to protect yourself is to tell the person that you are not comfortable entering your password at their computer.
If you have probable cause or general paranoia then do not perform unsafe actions.
Expecting to thoroughly detect and/or mitigate all threat models in a matter of seconds is ludicrous.
What is the threat model anyways? Do you not trust the person? Do you not trust the computer? Are you trying to prevent their access from the particular website which you are logging in to? Are you trying to prevent the discovery of your password because you use it for a hundred other services such as personal banking? Are you simply trying to figure out a universal way to not be compromised regardless of which foreign computer you encounter in the future? Are you trying to prevent the details of the post-login screen from being recorded? You may wish to sweep the area for any hidden video recording devices in the ceiling.
I think the OP is worrying about foreign immigration officers asking him to show his social media
– usr-local-ΕΨΗΕΛΩΝ
5 hours ago
add a comment |
up vote
3
down vote
up vote
3
down vote
The best way to protect yourself is to tell the person that you are not comfortable entering your password at their computer.
If you have probable cause or general paranoia then do not perform unsafe actions.
Expecting to thoroughly detect and/or mitigate all threat models in a matter of seconds is ludicrous.
What is the threat model anyways? Do you not trust the person? Do you not trust the computer? Are you trying to prevent their access from the particular website which you are logging in to? Are you trying to prevent the discovery of your password because you use it for a hundred other services such as personal banking? Are you simply trying to figure out a universal way to not be compromised regardless of which foreign computer you encounter in the future? Are you trying to prevent the details of the post-login screen from being recorded? You may wish to sweep the area for any hidden video recording devices in the ceiling.
The best way to protect yourself is to tell the person that you are not comfortable entering your password at their computer.
If you have probable cause or general paranoia then do not perform unsafe actions.
Expecting to thoroughly detect and/or mitigate all threat models in a matter of seconds is ludicrous.
What is the threat model anyways? Do you not trust the person? Do you not trust the computer? Are you trying to prevent their access from the particular website which you are logging in to? Are you trying to prevent the discovery of your password because you use it for a hundred other services such as personal banking? Are you simply trying to figure out a universal way to not be compromised regardless of which foreign computer you encounter in the future? Are you trying to prevent the details of the post-login screen from being recorded? You may wish to sweep the area for any hidden video recording devices in the ceiling.
edited 2 days ago
answered 2 days ago
MonkeyZeus
278210
278210
I think the OP is worrying about foreign immigration officers asking him to show his social media
– usr-local-ΕΨΗΕΛΩΝ
5 hours ago
add a comment |
I think the OP is worrying about foreign immigration officers asking him to show his social media
– usr-local-ΕΨΗΕΛΩΝ
5 hours ago
I think the OP is worrying about foreign immigration officers asking him to show his social media
– usr-local-ΕΨΗΕΛΩΝ
5 hours ago
I think the OP is worrying about foreign immigration officers asking him to show his social media
– usr-local-ΕΨΗΕΛΩΝ
5 hours ago
add a comment |
up vote
3
down vote
If you need to login using someone else's computer, there is no certain way to know for certain if there is any form of spying software. Even if it is someone you trust, they could be infected with a virus or a similar nefarious device, and it can be hard to impossible to know if it is infected. Always assume that a nefarious entity will still be able to view/access anything that happens on the computer. Here are a few ways you can try to mitigate the risks.
There is no possible way to ensure that the person's OS is not compromised. You can look at the running processes, examine call stacks, network requests or anything, but spyware programs can be extremely well disguised. The best possible solution is to boot from a live USB stick using a linux distribution such as Ubuntu, puppy linux or Kali linux. This means that you should have full control of the software running on the computer, although a determined hacker could insert malicious code into the BIOS or bootloader of the computer, changing the actual code of the operating system.
Mitigation of Hardware based vulnerabilities
- Check the cable between the computer and the display. A device can be inserted in between them allowing a hacker to see the display output.
- Avoid using a wireless keyboard or mouse. The signal can be intercepted between the transmitter and receiver, exposing keystrokes and mouse movements, even via a separate device.
- Plug any USB devices directly into the motherboard. Don't use a PCIe slot, as the device could be storing/transmitting keystrokes/commands. The same applies to front panel connectors.
- Use a different keyboard, if possible. Devices can take the sounds of individual keys being pressed to decipher which key it was. Unplug any microphones connected to the computer, just in case.
- Look to see if there are any extra PCIe or serial port devices plugged in. Ensure only the required ones are plugged in, just in case.
Software methods of decreasing the risk
- Ensure you connect to a secured WiFi network, or ethernet, if you know it is safe. It is probably better to use mobile data, and a mobile hotspot, if possible, so you don't have to rely on their internet connection. Use a USB cable as well, if possible, so you don't run the risk of an alternative WiFi connection intercepting the signal instead.
- Use SSL. This is obvious, but you must ensure the certificate authority is the one that you would expect to see, as it is possible for an entity to insert a self-signed certificate into the chain.
The last thing is that you should, if possible, temporarily change your password (maybe using your phone) while you login using that computer, then change it back afterwards, so if the password is compromised, it will not be usable after it is changed back.
New contributor
add a comment |
up vote
3
down vote
If you need to login using someone else's computer, there is no certain way to know for certain if there is any form of spying software. Even if it is someone you trust, they could be infected with a virus or a similar nefarious device, and it can be hard to impossible to know if it is infected. Always assume that a nefarious entity will still be able to view/access anything that happens on the computer. Here are a few ways you can try to mitigate the risks.
There is no possible way to ensure that the person's OS is not compromised. You can look at the running processes, examine call stacks, network requests or anything, but spyware programs can be extremely well disguised. The best possible solution is to boot from a live USB stick using a linux distribution such as Ubuntu, puppy linux or Kali linux. This means that you should have full control of the software running on the computer, although a determined hacker could insert malicious code into the BIOS or bootloader of the computer, changing the actual code of the operating system.
Mitigation of Hardware based vulnerabilities
- Check the cable between the computer and the display. A device can be inserted in between them allowing a hacker to see the display output.
- Avoid using a wireless keyboard or mouse. The signal can be intercepted between the transmitter and receiver, exposing keystrokes and mouse movements, even via a separate device.
- Plug any USB devices directly into the motherboard. Don't use a PCIe slot, as the device could be storing/transmitting keystrokes/commands. The same applies to front panel connectors.
- Use a different keyboard, if possible. Devices can take the sounds of individual keys being pressed to decipher which key it was. Unplug any microphones connected to the computer, just in case.
- Look to see if there are any extra PCIe or serial port devices plugged in. Ensure only the required ones are plugged in, just in case.
Software methods of decreasing the risk
- Ensure you connect to a secured WiFi network, or ethernet, if you know it is safe. It is probably better to use mobile data, and a mobile hotspot, if possible, so you don't have to rely on their internet connection. Use a USB cable as well, if possible, so you don't run the risk of an alternative WiFi connection intercepting the signal instead.
- Use SSL. This is obvious, but you must ensure the certificate authority is the one that you would expect to see, as it is possible for an entity to insert a self-signed certificate into the chain.
The last thing is that you should, if possible, temporarily change your password (maybe using your phone) while you login using that computer, then change it back afterwards, so if the password is compromised, it will not be usable after it is changed back.
New contributor
add a comment |
up vote
3
down vote
up vote
3
down vote
If you need to login using someone else's computer, there is no certain way to know for certain if there is any form of spying software. Even if it is someone you trust, they could be infected with a virus or a similar nefarious device, and it can be hard to impossible to know if it is infected. Always assume that a nefarious entity will still be able to view/access anything that happens on the computer. Here are a few ways you can try to mitigate the risks.
There is no possible way to ensure that the person's OS is not compromised. You can look at the running processes, examine call stacks, network requests or anything, but spyware programs can be extremely well disguised. The best possible solution is to boot from a live USB stick using a linux distribution such as Ubuntu, puppy linux or Kali linux. This means that you should have full control of the software running on the computer, although a determined hacker could insert malicious code into the BIOS or bootloader of the computer, changing the actual code of the operating system.
Mitigation of Hardware based vulnerabilities
- Check the cable between the computer and the display. A device can be inserted in between them allowing a hacker to see the display output.
- Avoid using a wireless keyboard or mouse. The signal can be intercepted between the transmitter and receiver, exposing keystrokes and mouse movements, even via a separate device.
- Plug any USB devices directly into the motherboard. Don't use a PCIe slot, as the device could be storing/transmitting keystrokes/commands. The same applies to front panel connectors.
- Use a different keyboard, if possible. Devices can take the sounds of individual keys being pressed to decipher which key it was. Unplug any microphones connected to the computer, just in case.
- Look to see if there are any extra PCIe or serial port devices plugged in. Ensure only the required ones are plugged in, just in case.
Software methods of decreasing the risk
- Ensure you connect to a secured WiFi network, or ethernet, if you know it is safe. It is probably better to use mobile data, and a mobile hotspot, if possible, so you don't have to rely on their internet connection. Use a USB cable as well, if possible, so you don't run the risk of an alternative WiFi connection intercepting the signal instead.
- Use SSL. This is obvious, but you must ensure the certificate authority is the one that you would expect to see, as it is possible for an entity to insert a self-signed certificate into the chain.
The last thing is that you should, if possible, temporarily change your password (maybe using your phone) while you login using that computer, then change it back afterwards, so if the password is compromised, it will not be usable after it is changed back.
New contributor
If you need to login using someone else's computer, there is no certain way to know for certain if there is any form of spying software. Even if it is someone you trust, they could be infected with a virus or a similar nefarious device, and it can be hard to impossible to know if it is infected. Always assume that a nefarious entity will still be able to view/access anything that happens on the computer. Here are a few ways you can try to mitigate the risks.
There is no possible way to ensure that the person's OS is not compromised. You can look at the running processes, examine call stacks, network requests or anything, but spyware programs can be extremely well disguised. The best possible solution is to boot from a live USB stick using a linux distribution such as Ubuntu, puppy linux or Kali linux. This means that you should have full control of the software running on the computer, although a determined hacker could insert malicious code into the BIOS or bootloader of the computer, changing the actual code of the operating system.
Mitigation of Hardware based vulnerabilities
- Check the cable between the computer and the display. A device can be inserted in between them allowing a hacker to see the display output.
- Avoid using a wireless keyboard or mouse. The signal can be intercepted between the transmitter and receiver, exposing keystrokes and mouse movements, even via a separate device.
- Plug any USB devices directly into the motherboard. Don't use a PCIe slot, as the device could be storing/transmitting keystrokes/commands. The same applies to front panel connectors.
- Use a different keyboard, if possible. Devices can take the sounds of individual keys being pressed to decipher which key it was. Unplug any microphones connected to the computer, just in case.
- Look to see if there are any extra PCIe or serial port devices plugged in. Ensure only the required ones are plugged in, just in case.
Software methods of decreasing the risk
- Ensure you connect to a secured WiFi network, or ethernet, if you know it is safe. It is probably better to use mobile data, and a mobile hotspot, if possible, so you don't have to rely on their internet connection. Use a USB cable as well, if possible, so you don't run the risk of an alternative WiFi connection intercepting the signal instead.
- Use SSL. This is obvious, but you must ensure the certificate authority is the one that you would expect to see, as it is possible for an entity to insert a self-signed certificate into the chain.
The last thing is that you should, if possible, temporarily change your password (maybe using your phone) while you login using that computer, then change it back afterwards, so if the password is compromised, it will not be usable after it is changed back.
New contributor
New contributor
answered 2 days ago
Theoremiser
1313
1313
New contributor
New contributor
add a comment |
add a comment |
up vote
1
down vote
In theory, if the site doesn't provide you a better way to do this, there is still a way: login on a device that is under your control, and transfer the session cookie you receive from that device to the untrusted computer. This will allow the untrusted computer to perform any operation you can perform on the site once logged in, but unless the site has fatally bad security design, it will not allow the untrusted computer to change your password, change the email address associated with the account, or perform other account-takeover operations.
Once you're done, you can use the trusted device you control to log out its session cookie (which you copied from it) by performing the logout operation there, or perform a "logout all devices" operation if the site provides such a feature.
Note that under this scheme, your password is never entered on the untrusted computer, and thereby it has no means of recording/capturing it. At best it can capture the session cookie, which you will invalidate by logging out using the trusted device once you're done.
add a comment |
up vote
1
down vote
In theory, if the site doesn't provide you a better way to do this, there is still a way: login on a device that is under your control, and transfer the session cookie you receive from that device to the untrusted computer. This will allow the untrusted computer to perform any operation you can perform on the site once logged in, but unless the site has fatally bad security design, it will not allow the untrusted computer to change your password, change the email address associated with the account, or perform other account-takeover operations.
Once you're done, you can use the trusted device you control to log out its session cookie (which you copied from it) by performing the logout operation there, or perform a "logout all devices" operation if the site provides such a feature.
Note that under this scheme, your password is never entered on the untrusted computer, and thereby it has no means of recording/capturing it. At best it can capture the session cookie, which you will invalidate by logging out using the trusted device once you're done.
add a comment |
up vote
1
down vote
up vote
1
down vote
In theory, if the site doesn't provide you a better way to do this, there is still a way: login on a device that is under your control, and transfer the session cookie you receive from that device to the untrusted computer. This will allow the untrusted computer to perform any operation you can perform on the site once logged in, but unless the site has fatally bad security design, it will not allow the untrusted computer to change your password, change the email address associated with the account, or perform other account-takeover operations.
Once you're done, you can use the trusted device you control to log out its session cookie (which you copied from it) by performing the logout operation there, or perform a "logout all devices" operation if the site provides such a feature.
Note that under this scheme, your password is never entered on the untrusted computer, and thereby it has no means of recording/capturing it. At best it can capture the session cookie, which you will invalidate by logging out using the trusted device once you're done.
In theory, if the site doesn't provide you a better way to do this, there is still a way: login on a device that is under your control, and transfer the session cookie you receive from that device to the untrusted computer. This will allow the untrusted computer to perform any operation you can perform on the site once logged in, but unless the site has fatally bad security design, it will not allow the untrusted computer to change your password, change the email address associated with the account, or perform other account-takeover operations.
Once you're done, you can use the trusted device you control to log out its session cookie (which you copied from it) by performing the logout operation there, or perform a "logout all devices" operation if the site provides such a feature.
Note that under this scheme, your password is never entered on the untrusted computer, and thereby it has no means of recording/capturing it. At best it can capture the session cookie, which you will invalidate by logging out using the trusted device once you're done.
answered 10 hours ago
R..
4,54711418
4,54711418
add a comment |
add a comment |
up vote
0
down vote
If you trust that person, go ahead and use their computer. Consider creating a separate browser profile which you can wipe clean after you're done without erasing that person's cookies / settings / whatever. Take note of any attachments you download so that you can remove these as well. Don't just open attached files, unless you want to play detective figuring out which of the possible "temp" locations was used to store them. And avoid manipulating any sensitive data which is not related to the purpose forcing you to use someone else's computer.
If you don't trust the person, don't use their computer. There's no way of securing an unknown computer 100%, and even less so without doing things which will make the other person suspect that you're trying to hack them. At which point you will probably be denied to use their computer anyway.
I trust my grandmother. I do not trust that her computer is clean.
– schroeder♦
2 mins ago
add a comment |
up vote
0
down vote
If you trust that person, go ahead and use their computer. Consider creating a separate browser profile which you can wipe clean after you're done without erasing that person's cookies / settings / whatever. Take note of any attachments you download so that you can remove these as well. Don't just open attached files, unless you want to play detective figuring out which of the possible "temp" locations was used to store them. And avoid manipulating any sensitive data which is not related to the purpose forcing you to use someone else's computer.
If you don't trust the person, don't use their computer. There's no way of securing an unknown computer 100%, and even less so without doing things which will make the other person suspect that you're trying to hack them. At which point you will probably be denied to use their computer anyway.
I trust my grandmother. I do not trust that her computer is clean.
– schroeder♦
2 mins ago
add a comment |
up vote
0
down vote
up vote
0
down vote
If you trust that person, go ahead and use their computer. Consider creating a separate browser profile which you can wipe clean after you're done without erasing that person's cookies / settings / whatever. Take note of any attachments you download so that you can remove these as well. Don't just open attached files, unless you want to play detective figuring out which of the possible "temp" locations was used to store them. And avoid manipulating any sensitive data which is not related to the purpose forcing you to use someone else's computer.
If you don't trust the person, don't use their computer. There's no way of securing an unknown computer 100%, and even less so without doing things which will make the other person suspect that you're trying to hack them. At which point you will probably be denied to use their computer anyway.
If you trust that person, go ahead and use their computer. Consider creating a separate browser profile which you can wipe clean after you're done without erasing that person's cookies / settings / whatever. Take note of any attachments you download so that you can remove these as well. Don't just open attached files, unless you want to play detective figuring out which of the possible "temp" locations was used to store them. And avoid manipulating any sensitive data which is not related to the purpose forcing you to use someone else's computer.
If you don't trust the person, don't use their computer. There's no way of securing an unknown computer 100%, and even less so without doing things which will make the other person suspect that you're trying to hack them. At which point you will probably be denied to use their computer anyway.
answered 1 hour ago
Dmitry Grigoryev
7,3801940
7,3801940
I trust my grandmother. I do not trust that her computer is clean.
– schroeder♦
2 mins ago
add a comment |
I trust my grandmother. I do not trust that her computer is clean.
– schroeder♦
2 mins ago
I trust my grandmother. I do not trust that her computer is clean.
– schroeder♦
2 mins ago
I trust my grandmother. I do not trust that her computer is clean.
– schroeder♦
2 mins ago
add a comment |
up vote
-2
down vote
When you suspect the system is keylogged you would need to be able to interrupt that process to do what you are asking.
That might be a visible process though - so if it's mission critical try finding that process or creating another user account with an encrypted terminal in a sandbox to see if you can avoid logging that way - i.e. Linux with encrypted home folder & swap as an example.
1
How would a sandboxed process or an encrypted home directory defeat keylogging?
– forest
Nov 30 at 7:23
I suggested interrupting the keylogging process - If the process monitored one user account and another account were encrypted - it might accomplish the desired result of not being logged. Attempting this in a sandboxed environment rather than just doing it cuts down on the risk in case it doesn't.
– user192527
Nov 30 at 7:25
If you are running under a different user, then there's no need to encrypt anything or use sandboxes. For Linux (since you mentioned Linux), individual users are isolated from each other and X11-based keyloggers will not work. However, if the hardware is controlled by someone malicious, then even encryption and a sandboxed terminal wouldn't help.
– forest
Nov 30 at 7:27
I suggested testing the idea in a sandbox. The main goal is to interrupt the keylogger if possible and if not to try to obfuscate by using other accounts etc.
– user192527
Nov 30 at 7:36
1
There are hardware keyloggers. This answer assume there is some "process" to "interrupt," which is totally wrong. It might mitigate one very specific risk, but it completely ignores other serious risks.
– David Conrad
yesterday
|
show 2 more comments
up vote
-2
down vote
When you suspect the system is keylogged you would need to be able to interrupt that process to do what you are asking.
That might be a visible process though - so if it's mission critical try finding that process or creating another user account with an encrypted terminal in a sandbox to see if you can avoid logging that way - i.e. Linux with encrypted home folder & swap as an example.
1
How would a sandboxed process or an encrypted home directory defeat keylogging?
– forest
Nov 30 at 7:23
I suggested interrupting the keylogging process - If the process monitored one user account and another account were encrypted - it might accomplish the desired result of not being logged. Attempting this in a sandboxed environment rather than just doing it cuts down on the risk in case it doesn't.
– user192527
Nov 30 at 7:25
If you are running under a different user, then there's no need to encrypt anything or use sandboxes. For Linux (since you mentioned Linux), individual users are isolated from each other and X11-based keyloggers will not work. However, if the hardware is controlled by someone malicious, then even encryption and a sandboxed terminal wouldn't help.
– forest
Nov 30 at 7:27
I suggested testing the idea in a sandbox. The main goal is to interrupt the keylogger if possible and if not to try to obfuscate by using other accounts etc.
– user192527
Nov 30 at 7:36
1
There are hardware keyloggers. This answer assume there is some "process" to "interrupt," which is totally wrong. It might mitigate one very specific risk, but it completely ignores other serious risks.
– David Conrad
yesterday
|
show 2 more comments
up vote
-2
down vote
up vote
-2
down vote
When you suspect the system is keylogged you would need to be able to interrupt that process to do what you are asking.
That might be a visible process though - so if it's mission critical try finding that process or creating another user account with an encrypted terminal in a sandbox to see if you can avoid logging that way - i.e. Linux with encrypted home folder & swap as an example.
When you suspect the system is keylogged you would need to be able to interrupt that process to do what you are asking.
That might be a visible process though - so if it's mission critical try finding that process or creating another user account with an encrypted terminal in a sandbox to see if you can avoid logging that way - i.e. Linux with encrypted home folder & swap as an example.
answered Nov 30 at 7:03
user192527
1
How would a sandboxed process or an encrypted home directory defeat keylogging?
– forest
Nov 30 at 7:23
I suggested interrupting the keylogging process - If the process monitored one user account and another account were encrypted - it might accomplish the desired result of not being logged. Attempting this in a sandboxed environment rather than just doing it cuts down on the risk in case it doesn't.
– user192527
Nov 30 at 7:25
If you are running under a different user, then there's no need to encrypt anything or use sandboxes. For Linux (since you mentioned Linux), individual users are isolated from each other and X11-based keyloggers will not work. However, if the hardware is controlled by someone malicious, then even encryption and a sandboxed terminal wouldn't help.
– forest
Nov 30 at 7:27
I suggested testing the idea in a sandbox. The main goal is to interrupt the keylogger if possible and if not to try to obfuscate by using other accounts etc.
– user192527
Nov 30 at 7:36
1
There are hardware keyloggers. This answer assume there is some "process" to "interrupt," which is totally wrong. It might mitigate one very specific risk, but it completely ignores other serious risks.
– David Conrad
yesterday
|
show 2 more comments
1
How would a sandboxed process or an encrypted home directory defeat keylogging?
– forest
Nov 30 at 7:23
I suggested interrupting the keylogging process - If the process monitored one user account and another account were encrypted - it might accomplish the desired result of not being logged. Attempting this in a sandboxed environment rather than just doing it cuts down on the risk in case it doesn't.
– user192527
Nov 30 at 7:25
If you are running under a different user, then there's no need to encrypt anything or use sandboxes. For Linux (since you mentioned Linux), individual users are isolated from each other and X11-based keyloggers will not work. However, if the hardware is controlled by someone malicious, then even encryption and a sandboxed terminal wouldn't help.
– forest
Nov 30 at 7:27
I suggested testing the idea in a sandbox. The main goal is to interrupt the keylogger if possible and if not to try to obfuscate by using other accounts etc.
– user192527
Nov 30 at 7:36
1
There are hardware keyloggers. This answer assume there is some "process" to "interrupt," which is totally wrong. It might mitigate one very specific risk, but it completely ignores other serious risks.
– David Conrad
yesterday
1
1
How would a sandboxed process or an encrypted home directory defeat keylogging?
– forest
Nov 30 at 7:23
How would a sandboxed process or an encrypted home directory defeat keylogging?
– forest
Nov 30 at 7:23
I suggested interrupting the keylogging process - If the process monitored one user account and another account were encrypted - it might accomplish the desired result of not being logged. Attempting this in a sandboxed environment rather than just doing it cuts down on the risk in case it doesn't.
– user192527
Nov 30 at 7:25
I suggested interrupting the keylogging process - If the process monitored one user account and another account were encrypted - it might accomplish the desired result of not being logged. Attempting this in a sandboxed environment rather than just doing it cuts down on the risk in case it doesn't.
– user192527
Nov 30 at 7:25
If you are running under a different user, then there's no need to encrypt anything or use sandboxes. For Linux (since you mentioned Linux), individual users are isolated from each other and X11-based keyloggers will not work. However, if the hardware is controlled by someone malicious, then even encryption and a sandboxed terminal wouldn't help.
– forest
Nov 30 at 7:27
If you are running under a different user, then there's no need to encrypt anything or use sandboxes. For Linux (since you mentioned Linux), individual users are isolated from each other and X11-based keyloggers will not work. However, if the hardware is controlled by someone malicious, then even encryption and a sandboxed terminal wouldn't help.
– forest
Nov 30 at 7:27
I suggested testing the idea in a sandbox. The main goal is to interrupt the keylogger if possible and if not to try to obfuscate by using other accounts etc.
– user192527
Nov 30 at 7:36
I suggested testing the idea in a sandbox. The main goal is to interrupt the keylogger if possible and if not to try to obfuscate by using other accounts etc.
– user192527
Nov 30 at 7:36
1
1
There are hardware keyloggers. This answer assume there is some "process" to "interrupt," which is totally wrong. It might mitigate one very specific risk, but it completely ignores other serious risks.
– David Conrad
yesterday
There are hardware keyloggers. This answer assume there is some "process" to "interrupt," which is totally wrong. It might mitigate one very specific risk, but it completely ignores other serious risks.
– David Conrad
yesterday
|
show 2 more comments
today is a new contributor. Be nice, and check out our Code of Conduct.
today is a new contributor. Be nice, and check out our Code of Conduct.
today is a new contributor. Be nice, and check out our Code of Conduct.
today is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f198726%2fsecure-way-to-log-in-to-a-website-on-someone-elses-computer%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
8
Can you create a virtual machine on their box?
– DarkMatter
Nov 29 at 16:46
4
@DarkMatter Unfortunately, no. I am not allowed to do that. Even if I am allowed, I guess it would take some time (> 15 min) to do that and they don't have enough patience :) Although, I am interested to know how that helps. Please include it as an answer if you would like.
– today
Nov 29 at 16:50
5
it all depends on how they are monitoring your activity... operating inside of your own clean VM on their box (using a clean OSK) will bypass a number of the ways they could monitor your activity. Furthermore you can also delete the VM afterward to further remove evidence of your activities. Ultimately though if they own the hardware in theory there is no way to be bullet-proof (2FA helps some to mitigate ramifications of their monitoring)
– DarkMatter
Nov 29 at 17:25
31
A live OS (booted via USB or DVD) is probably more handy. However that won't protect you from hardware keyloggers for example. The best solution seems to be what Cowthulhu suggested in the answer, 2FA, when available. Also maybe change password and force a logout on all devices once you are back home on your computer, if the service makes this possible. A lot of this also depends on how knowledgeable and determined is your "enemy".
– reed
Nov 29 at 18:17
2
A simple option is after you're finished to use your phone to change your password. In the past, some services had the ability to generate a one-time login password from your phone, but these seem to have fallen out of favour, presumably with 2FA taking their place.
– paj28
Nov 29 at 20:32