The typical scenario is a cyber cafe, school library, or school computer. You have no control over that computer and do not know what they have installed. Maybe there is a keylogger running, keeping each and every keystroke and then someone picks them up or are sent over the Internet. This is a relatively common way to capture passwords of others. As the program does keylogger is to take control of your computer and intercept the keyboard, even ‘secure web pages “are no longer safe: Internet traffic is safe, but not what I typed, because as I typed, He was captured in “clear text”, including passwords. Some Internet banks, in fact, offered by the window input a “virtual screen keyboard” so that you type the secret numbers with the mouse. Mainly is to avoid this.
The interesting thing is that the keylogger stores all information that passes through the keyboard, without much intelligence. Then someone is responsible for visually decipher the texts. For example, if you type a URL to go to Hotmail and then your email address as your username and password then the picker will see something like
Where it is not difficult to deduce the name of the account and that snoopy is the password. Some keyloggers even do this automatically to capture passwords of common services (Hotmail, Paypal and others).
The solution proposed by Herley and Florêncio is as simple as ingenious. It turns out that keyloggers are very good capturing all the information is entered, but usually have no idea where you are typing. If you change your application or window, the keylogger still “recording” just a string of letters, you can do so obfuscated as you want. The site (window, box, etc.) you’re typing, often called the focus . The trick is simply to change the mouse focus between letters, typing random letters between the actual letters. Change the focus is just a click of the mouse in another area of the browser window (and no matter if those letters are displayed or not, can be placed for example in the search box). Thus, to go to Hotmail and enter the password, it would be this: hotmail.com firstname.lastname@example.org , mouse click elsewhere random letters, n , click the mouse elsewhere , random letters, or , etc. What the keylogger would then be like this: hotmail.comspqmlainsdgsosdgfsodgfdpuouuyhdg2
And so, with this ingenious low-tech hacking, password is much safer, not to say that if done sufficiently complex will be almost perfectly protected.
Update: Daniel tells us by mail that KeePass is a password manager (Windows, Mac OS X, Linux, free and open source ) that can run from a pen drive, and that includes auto-type function allows you to program how have to enter usernames and passwords, thus automating the pulsation (includes commands such as Tab and Shift-Tab to switch the focus of the form in question and add the password “characters distraction.” really have to customize it for each page web, but at least allows you to automate a little trick.
Meanwhile, Dani reminds us that there are keyloggers as Trojans (like computer viruses, are installed on your computer and send the password to the exterior) that are capable of capturing both keystrokes and video of what happens in screen, which number keyboard technique is sometimes also vulnerable. These links Hispasec more information and a demo: New banking Trojan targeting Spanish and Latin American entities ; Trojan Capture Banesto [Flash] and banking Trojan .