Carnegie Mellon University has published a paper (PDF file) which describes an interesting method that allows for better security when entering usernames and passwords on public computer.  The fear is that the public computer will be fitted with a software or hardware keylogger which would collect everything typed.

Here's the meat of the paper:

At first our task may seem impossible: if the keylogger sees everything how can we hide the password from it? Rather than hide the password our approach is to embed it in a sequence of random characters. So we seek a way of entering random keys so that they will be seen by the keylogger, but will not affect normal login. The trick lies in the fact that keyloggers employ very low level OS calls. The keylogger sees everything, but it doesn’t understand what it sees. The browser also sees everything, but it doesn’t use everything that it sees: it does not know what to do with keys that are typed anywhere other than the text entry fields, and lets them fall on the floor. The keylogger has no easy way to determine which keys are used by the browser and which fall on the floor. It is very easy to record all of the keys or mouse events (this is true both for Windows and Linux based systems). It is also very easy to determine which application had focus at the time of the event (e.g. this key went to the browser). But it is very hard to determine what the application did with those events.

Between successive keys of the password we will enter random keys. In the spirit of chaffing and winnowing, the string that the keylogger receives will contain the password, but embedded in so much random junk that discovering it is infeasible.

Allow me to clarify.  Let's say that you're logging in to your Amazon.com account from a public computer.  You open up Amazon.com in a web browser and navigate to the login page.  Then you'd click in the username textbox and type one or two characters of your username, then click somewhere else in the browser window that's neutral, such as the status bar or a blank portion of the page (but not on something active like a link or button) and type a few characters.  Then back to the textbox and type another character of two, click somewhere else neutral and type some more junk.  Repeat until you username is entered and then repeat the process for the password. 

This isn't 100% guaranteed (if you want guarantees, don't use a public PC), but it does offer a increased protection.

This entry was posted on Friday, November 24th, 2006 at 18:52 and is filed under Stay Secure. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.