Stopping Password Theft by Key Loggers
I ran across this article by Cormac Herley and Dinei Florencio today on how to protect your password from keystroke loggers. This is actually a very brief PDF that explains a simple concept in a very concise way. That said, it’s still pretty creative and I only found one non-obvious flaw with it.
The basic premise is that if you take a password and you obfuscate the logging of that password by clicking on random other places on the same page in between typing characters of your password you have now successfully stopped the attacker from knowing your password. Okay, now for the hole. If you receive a password that looks an awful lot like a string of random characters and it’s much longer than a traditional password changes are this is either a mistake or you’ve found someone trying to keystroke log your password.
That might seem like no big deal to the casual observer and on a one-off basis that might actually deter any reasonable attack against the password. But what about the second time, and then the third time? Let’s pretend you are an attacker and have a keystroke logger reading passwords. Over time you saw these strings over time:
www.hotmail.comasdf@fdsa.comw~eslkanij1o2h4oz3hphaky
www.hotmail.comasdf@fdsa.comasjsnkjna@joalkosjdpasony
www.hotmail.comasdf@fdsa.compsps1uhnu2jozuzo2!$p#lzy
That might not look super crackable with the naked eye, but programmatically it’s trivial to see the pattern in that. Each contain the exact same characters in the exact same order. The string “snoopy” is embedded in the content of the three unique strings. Don’t believe me? Let’s walk through part of the logic.
The first password starts with a “w”. Let’s walk down the second password and see if it shows up there. Hmm… nope. Guess that’s not part of the password. In fact let’s just look for all the characters that don’t show up in all three passwords and re-look at the same passwords (letters that are not repeated all three times are replaced by _ in the example):
www.hotmail.comasdf@fdsa.com___sl__n_j_o___o_3_p___y
www.hotmail.comasdf@fdsa.com_sjsn_jn__jo_l_osj_p_sony
www.hotmail.comasdf@fdsa.compsps___n__jo___o___p_l_y
Now you need to look for which strings are in order and match up with one another. There is a “s” followed by an “l” in all three examples, but there is no sln in all three examples so that’s out. So now you have to decide if the s or the l or the n or the sl or the sn or the ln are in all three. Anyway, you can see where I’m going with this. In just a few iterations you can come up with just a few possible combinations of potential passwords. Then using the password policies of the websites you can find the most likely password. One more quick point, this example above is only using three passwords. The more you have the easier the analysis becomes. So without insuring that the obfuscated password is identical each time it would be trivial through statistical analysis of the obfuscated password to identify the real password.
But really, who’s going to go through all that work? Yes, this is a clever idea, and yes there is a hole in the idea, but I’m not too worried about anyone figuring it out without long term analysis of the passwords used. Pretty cool paper! I’ve always been interested in password security. Maybe some day I’ll release my version of this paper talking about another form of obfuscation that has proven to get past all keystroke loggers too. Unfortunately mine is even easier to break than theirs is, so maybe I’ll leave that one for another day.
November 25th, 2006 at 3:43 am
I saw that paper as well, but are key loggers really that big an issue?
Any good sniffer will get you the data you need, well, except for all SSL traffic, but since almost nothing has statically linked libraries, it should’nt be too difficult to just replace the dynamic libraries with your own copy which writes everything it sends to a file, or something.
And anyway, characters don’t have to be typed in order, you can easily type them up somewhere, rearrange them, and then copy and paste them, if you’re paranoid about people looking over your shoulder then you can always just type the characters out of order inside the password field and click to the appropriate place to insert your characters, etc.
Really though, should you be logging onto sensitive sites from an untrusted computer if you’re that worried?
But anyway, cool idea for defeating the obfuscation,
November 25th, 2006 at 11:00 am
I thought of the same thing. Cutting and pasting is definitely an option, but if you are really concerned about it, why not just use Windows’ onscreen keyboard (assuming mouse clicks are not logged).
But to answer your question a lot of the malware that you find on phishing sites use keystroke loggers. So beware on that one. It’s not super common, but it’s still out there. I haven’t heard many people using network shims to watch the traffic in transit though. I’m sure it exists, but it’s not that common in comparison.
And lastly, no, don’t log into anything secure from an untrusted computer.
November 25th, 2006 at 12:38 pm
If you needed to access something secure on an untrusted terminal, couldn’t you (if your server supports it), generate a list of temporary passwords? They operate identically with regular passwords, only they only work once, and have a shortened expiration time. Since they’re so temporary, it would be acceptable to print out a list of several dozen and keep it in your wallet (with your credit cards, etc.), and even if it did get stolen you could revoke them easily.
The only trouble with this is if someone hijacks your account in real-time, but, as is the case with all security.
November 25th, 2006 at 12:59 pm
Yup tan cards are similar. It’s not a bad idea, just not supported hardly anywhere outside of Germany. I’m always a little wary of the “something you have” security methodology, because it requires that people a) have it (if they lost their wallet or otherwise) and b) they can use it (blind people).
November 25th, 2006 at 1:45 pm
Here’s an interesting way to get around the “not implemented” problem: with your own trusted server, create a program that will log into the service you want to access (i.e. has your password) once you present it with one of your temporary passwords. It then would act as an HTML-based HTTP proxy which you can use to access the service (be it webmail, wiki, etc.)
Would be a lot of work though.
November 25th, 2006 at 3:01 pm
i think one can hook to password field (HTML form) itself, when submit event is fired, just read the value of password field. this way, one can bypass any level of obfuscation.
November 25th, 2006 at 3:08 pm
make sure to read http://ip.securescience.net/exploits/virtualkeyboards.pdf
November 26th, 2006 at 2:28 am
Why not just log all mouseclicks as a space?
It would then be
www.hotmail.com asdf@fdsa.com w~e s lka n ij1 o 2h4 o z3h p hak y
very easy to read
November 26th, 2006 at 10:11 am
well they could just as easily mouse click in between every letter typed .. making it blah w ~ e s l k a etc.
as described though, that’s a smart way to get around it. either way, i haven’t used keyloggers on a mass scale but i can’t imagine even 0.5% of people would obfuscate their password typing. even as high as 10%, i’d think that’s an acceptable loss rate
and depending on how many letters are added.. it can potentially be brute-forced using this subset of characters (24 in the first example)
November 26th, 2006 at 4:53 pm
[…] ha.ckers.org web application security lab - Archive » Longest Common Subsequence Problem « Stopping Password Theft by Key Loggers […]
December 2nd, 2006 at 4:00 am
An easier way for a keylogger to get your password and defeat this is to simply keep track of what window currently has focus.
The Windows’ onscreen keyboard simulates key presses so it is caught by key loggers.
Copy/Paste can be defeated if the key loggers captures your clipboard also.
Another idea might be to use your mouse to resposition letters but even that is assuming then that your mouse movements aren’t tracked.
The further you go into protecting yourself the further the keyloggers will progress (and with computers speeding up they can process a lot more stuff without you noticing any bog down of your system).
April 9th, 2007 at 7:00 am
where can i get key logger??
May 23rd, 2007 at 10:46 am
As for those recommending the use of the Windows on screen keyboard, what about us silly KDE (or Gnome) users? Why not just recommend an on screen keyboard? You know, there is more than one web browser, and more than one office suit, and more than one asshole thinking what I’m thinking…
October 21st, 2008 at 9:24 am
I think there is a kind of keylogger that pretends to be another program or application