Security: Keyloggers, Secure Input, Virtual Keyboards, etc.

(was: Passwords stay in Clipboard from 1PasswordAnywhere)
Let's say I'm on a public PC (Internet Cafe) and use 1PasswordAnywhere to copy/paste a password. How can I make sure nobody pastes my password(s) or reads them from the clipboard?

If I type in a main password to access all my other passwords and then copy/paste the desired password, people might 1. see me type in the main password and therefore can reach all my other passwords (nightmare) and/or 2. might paste or check the clipboard and get my copied passwords (still bad and can only happen when not typed but copied).

Thanks!

Comments

  • Hello, Noriker, and welcome to the forums!

    1) Unless your master password is very short or a recognizable word, it would be very hard for someone to figure out what it is just by watching you type it. They would have to be able to see all the keys on the keyboard and notice which order you typed them, which is increasingly difficult the faster you type.

    2) Assuming that only one item remains in the clipboard at a time, you can simply select a random piece of text on the screen and copy it to remove your password from the clipboard.

    Our resident security expert, Jeff, shares more thoughts (these notes are specifically about keyloggers, but the techniques apply to copying and pasting also):

    [font="verdana, arial, helvetica, sans-serif"]
    The bad news is that we have to recognize that if someone has control of the computer you are using they can - in principle - get at everything that happens on that computer. Because of this fact, the best thing is to avoid using machines that may be compromised. Since 1Password is available for iPhone, iPod Touch, iPad and Android devices, and it also runs wonderfully on Windows Netbooks and on Macbook Airs, there is a large range of portable devices you can use for accessing your 1Password data.

    However, if you must enter your 1Password master password on a machine that you don't trust, there are things you can do to reduce the chances that it is captured. One trick that I've used is to copy and paste fragments of my master password out of sequence. For example, if my master password were "1nce up-on a midDay Leary", I would try to first find, say, the sequence "ear" on my screen and copy/paste that in first. Then I might type a "y" after it and an "L" before it. Then, maybe from a word like "fence" I would find the "ence" string that I need and then type in the "1" and the space. I would continue this process of copying and pasting fragments and typing some other ones.

    Obviously this is a painful and error prone process. I could do it with just a few fragments and more typing. But mixing it up a bit (particularly putting things in out of sequence) should defeat key stroke loggers that seem to be out there today. Of course, things may change later.

    Another thing to keep in mind is that since some existing keyloggers also take periodic screen shots, you should keep your passwords concealed as much as possible.

    Because of the nature of a compromised machine, even the most sophisticated systems to defeat such loggers would only be stop gap measure. The best defense is to use your own hardware. As long as you are using your own computer and you log into sites using SSL (httpS), you will remain safe, even if you are on a network that you can't trust.

    [/font]
  • Noriker
    Noriker
    Community Member
    I see, thank you very much. Since I use software that allows me to paste the last couple of copies from the clipboard, I know that copying something else doesn't really overwrite the copied password. The mixed approach makes sence. Most likely it would be too much work for a thief to collect all this data and try different combinations. They are probably using just one method (hidden camera, key logger etc.).
  • cpr_metro
    cpr_metro
    Community Member
    I am now using SignUpShield made by Protecteer. I am VERY happy with this product, but now
    must switch apps since I am going to buy an iMAC and SignUpShield does not support this OS.
    .. so I am considering this APP.
    One feature excellent fesature that SignUpShield has is a virtual keyboard that pops up when entering the
    Master Password. You basically use your mouse to click on the virtualy keyboard. Keylogger
    will not be able to capture your password. If video capture it being used it will need to be
    virtually in real time to be able to catch every click you make.

    Does 1Password have a virtual keyboard to input the master password ?
  • khad
    khad
    1Password Alumni
    edited April 2011
    Welcome to the forums, cpr_metro! Thanks for considering 1Password! :-D

    The discussion above about keyloggers is centered around the notion of using the 1PasswordAnywhere feature on a computer other than your own. Two things come into play here. First, the computer is not and has not been under your control. Who knows what has been done to it before you began using it? Second, the odds of that computer being a Windows machine are statistically much higher than it being a Mac if you are using a public computer in a library or Internet cafe for example. Taken together, this presents a much higher reason for concern than if you are using (1) your own computer which (2) is a Mac.

    While no computer is immune from keystroke loggers, I am not aware of any software-based keyloggers in the wild that can or will infect your Mac without your consent. There are legitimate keyloggers (usually in the form of parental control or employee monitoring software) but these will not install without interaction from the computer administrator — yourself in the case of your own machine.

    Additionally, virtual keyboards are no match for keyloggers that also take screen shots when you click your mouse. One thing to consider is that once a rogue application has been installed on your machine, all bets are off. The best offense is a good defense: don't install the buggers in the first place. Practice safe computing by not opening unexpected file attachments or clicking links in email. Never enter your Mac OS X login password unless you know why you are prompted to do so. Mac OS X will always prompt you to enter your password when system files are about to be modified. If you are installing an application intentionally, enter your password and proceed. However, if you are not expecting the prompt, it is wise to click the "Cancel" button.

    Another great feature that Mac OS X has is called Secure Input. Any application can enable Secure Input (and 1Password for Mac does). With Secure Input enabled, all typing is passed directly to the active application — no other applications can observe your typing. Secure Input is used for entering passwords and other sensitive information. This means that if malicious key-logging software or “spy-ware” somehow gets on your system, it cannot record your passwords. Secure Input is generally enabled when you type into a password field. Some applications also enable Secure Input at other times.

    For more information, consider reading "How to Protect Your Mac From Keyloggers."

    So at this time 1Password for Mac does not have a virtual keyboard, but 1Password for Windows does have a virtual keyboard.

    If we can be of further assistance, please let us know.

    We are always here to help!
  • cpr_metro
    cpr_metro
    Community Member
    Very interesting. Many thanks for the thorough reply! :D

    I intend to buy both the Mac OS and Windows Version of 1Password.
    It appears they are sold as 2 separate programs.

    If they are 2 separate programs, can I first set up all my passwords on my MAC
    version and then import them to the Windows version ?
  • khad
    khad
    1Password Alumni
    I'm glad I was able to help.

    If you need to run 1Password in both Mac and Windows environments, you can save by buying a bundle license.

    can I first set up all my passwords on my MAC version and then import them to the Windows version ?

    I'll do you one better. How about keeping the data in sync automatically in the background? Simply install Dropbox and 1Password on your Mac, then click the "Move to Dropbox" button in 1Password's preferences.

    Once Dropbox has finished syncing your data on the Mac, install Dropbox on your Windows machine, wait for it to finish syncing in Windows, then install 1Password for Windows. It will automatically detect your data in the Dropbox folder and keep everything in sync from then on. :-)

    Please let me know how it turns out!
  • vonlost
    vonlost
    Community Member
    I looked around and didn't see an answer.

    The descriptions talk about entering a master password, but don't seem to say how to do it.

    I suppose most think of entering it on the keyboard, but I'm paranoid of keystroke loggers (my best friend's son installed such a logger and stole his dad's password!).

    Some banks use a stronger method, clicking on a screen keyboard to enter the password, even using random placement and shape of the keyboard in the frame to thwart click location logging; it's slower, but more secure, and I'll accept it once per session for peace of mind.

    Do you offer this alternate method for those of us wary of keystroke loggers? I'll buy if this security hole is absent.

    Thanks!
  • I love the product and have it on my mac's Ipad and iphone.

    Is not the whole way we input our "1 Password" to get into the program a large security risk. Mostly banks who are not using some sort of RSA device use mouse entry on a virtual keyboard to prevent interception from key loggers.

    Whats the possibility of looking into this for future releases.

    Thanks
  • khad
    khad
    1Password Alumni
    edited June 2011
    Welcome to the forums, vonlost and Bigjet!

    I merged your posts with the appropriate thread. Please see above and let me know if you have any additional questions or concerns. :-)

    Thanks!
  • Great thread... I wanted to ask a couple more questions about keylogger threats against Mac OS X (Lion specifically)..

    Scenario: Assume that a user got tricked into installing a malicious software through no fault of their own (ie. DevilRobberV3) and is now exposed to multiple threats.. (Keystroke logging, 1password keychain stealing, etc.)

    Q1: Couldn't utilizing the OS X Lion keychain provide additional protection for the 1password master password? My gut tells me this is more secure (probably an implicit trust in Apple), but the removal of this feature in 3.9 tells me Agile knows more than I do.

    Q2: Assuming that the protection in place is the best that can be done, given the above scenario... Has Agile considered adding in some form of 2 factor authentication? I wouldn't hesitate to purchase a keyfob (or a few, if many-to-one were somehow supported).. In my opinion, two factor authentication is the best practice to minimize the risk of modern attacks (trojans, keyloggers, crypto attacks, etc.).. I'm guessing the offline implementation of two factor authentication is probably difficult, but if it could be integrated with PBKDF2, it would be awesome..
  • khad
    khad
    1Password Alumni
    Welcome to the forums, infoman! It is great that you are thinking about these things.

    Did you have a chance to read our blog post about DevilRobberV3 yet?

    http://blog.agilebits.com/2011/11/17/defending-against-1password-harvesters/

    Offhand, I do not believe that DevilRobberV3 contains a keystroke logger, but it cannot be installed "through no fault of" one's own. It is a trojan that needs to be explicitly installed by an action of the user. In this case it was being distributed as part of a pirated copy of the wonderful Pixelmator app (which no one should need to pirate since it is a great app and worth every penny).

    We also have a blog post about multi-factor authentication:

    http://blog.agilebits.com/2011/09/23/two-factor-or-not-two-factor/

    Please let me know if you still have any questions after reading those two posts. I would be happy to answer them.

    Cheers,
This discussion has been closed.