Safe Password Usage
Your best defense is not to use any untrusted computer to sign in to any site that contains banking or sensitive personal information. When you simply must take a chance on using a random PC, however, you can minimize the risk — if not eliminate it.
Security blogger Ian Saxon publishes an approach that may not be 100% foolproof but should provide some reasonable protection when entering passwords. Writing on his Defending the Kingdom site, Saxon outlines what he calls the “revised Vesik method” for entering passwords:
§ Step 1. Click in the password box and type three random characters, mixing upper and lower case, numbers, etc.
§ Step 2. Use your mouse or the Shift and arrow keys to select the characters you just typed. Then type three more random characters or a portion of your password, replacing the characters you typed previously. (Mixing random characters with actual parts of the password makes it more difficult for keyloggers to identify your password.)
§ Step 3. Repeat steps 1 and 2 a few times. The more often you repeat the process, the harder it will be for an intruder to discern your password when examining the keylogger file.
§ Step 4. Click to the left or right of your password segment and follow steps 1 to 3 to add a few more characters.
§ Step 5. Repeat the process, adding a few more characters of your password on each cycle until your entire password is in the password box. Then sign in to the site.
This procedure clutters the keylogger’s log file with a series of click events and characters. There’s no easy way for the intruder to know which characters are your password and which are random.
The key is to select and gradually overtype gibberish characters with your actual password characters. Don’t simply type some garbage, backspace over it, and then enter your real password. Most keyloggers compensate for backspacing but can’t keep track of characters you select and overtype.
As Saxon points out, this method isn’t foolproof. For example, if you use an untrusted PC to sign in to the same site twice — and you don’t use identical gibberish each time — a hacker could compare the two captured keystroke sequences and possibly figure out which characters constitute your actual password.
However, most crooks are looking for “low-hanging fruit.” They’ll move on to another victim rather than spend a lot of time trying to filter your password out of the noise.
Of course, if we all used the Vesik method to obscure our passwords, hackers might develop keyloggers that track this kind of data entry, too. But most people don’t conceal their passwords in noise, so keyloggers don’t compensate for it.
If you have no choice but to sign in to a site on a PC you aren’t sure of, protecting your password is a difficult problem with no perfect solution. Many software programs, such as RoboForm2Go, offer password-protection schemes that vary from the no-cost Vesik technique. WS senior editor Gizmo Richards recently reviewed these methods in an analysis at his Tech Support Alert site.
Just be aware that accessing the Internet using your own laptop — on which you run up-to-date antivirus software — protects your passwords better than using a public Internet terminal or a friend’s PC.