Hardware For Protecting Your Passwords?

AstroBush asks: "I was reading this article which raised a very interesting question: Hardware keylogging devices now exist which can record all output of the keyboard regardless of operating system, permissions, or any software-based controls. How can I protect myself from having a co-worker (or student, thief, ex-wife, etc...) using one of these devices on my machine? Is there any keyboard available which encrypts output before it reaches the computer?"

Obvious solution

[stephend]

If you only ever key in the wrong password, no-one else will be able to get in either. True, it may reduce your productivity but it is more secure.

You might also want to consider using a slide-rule rather than a computer.

One time pad

[battjt]

Use a one time pad for logging in. This way, someone may monitor one session, but that doesn't open up your machine.

Joe

of course not!

[joekool]

if the device that intercepts it is between the keyboard and the computer, then a keyboard that sends encrypted text will still get read--of course they will not have your password, but they will just have to replay the data collected when you typed in your password!--as others have said, if they have physical access, just forget it, they have it--if nothing else, an over the shoulder camera!(remember Sneakers!)
;-}

Silly

[addaon]

Silly question. As another poster said, the instant they get to your hardware, just give up. Fine, let's postulate a keyboard which entirely encrypts everything, unbreakably. So the person who would otherwise just log your keystrokes instead puts a little RF transmitter under each key that triggers when the key is depressed... in effect, they've mirrored your keyboard, and now have a perfect key logger, even if your keyboard isn't plugged in. The simple fact is that there is no safety, once you allow people to fiddle with your hardware. The solution? Don't let 'em.

Re:Why bother?

[Strog]

How about plugging in a USB keyboard you carry with you? Of course, make sure it plugs directly into the back of the computer and not into a duct-taped USB hub(nothing suspicious here). Lock up the box and you are set for the physical security.

You can't

[John Jorsett]

How can I protect myself from having a co-worker (or student, thief, ex-wife, etc...) using one of these devices on my machine? Is there any keyboard available which encrypts output before it reaches the computer?"

I think the answer is, "you can't". The information is unencrypted at some point, and if your adversary has physical access to your computer they can get at it. The FBI has been known to install bugs within the keyboard itself [philly.com] to record keystrokes in cases where the target has encrypted the data on the computer.

Get real.

[duffbeer703]

If you are doing something so important that someone is going to go to the time and trouble to attach a keystroke monitor to your pc, maybe you should hire some guys with guns to secure your computer.

user your mouse

[crazney]

copy and paste letters from words with your middle mouse button (or whatever it is in ur os).. eg, password "fruit" take an f from "firewall" r from "reply" etc.. :-)

Why bother?

[apm]

I have an easier solution. Every time you sit down at your computer, check the keyboard cable and make sure it plugs into the computer rather than some mysterious "black box" that somebody's put there. If you think somebody's going to put one inside your keyboard, then take the keyboard with you every time you leave. Consider locking your PC case to prevent anyone from opening it to install a device in there. Like somebody already posted, if you don't have physical security for your machine, you're pretty much screwed anyway.

Re:Silly

[Beowulf_Boy]

NO, Wrap your computer in Foil!
They could never transmite!
Bwahahaha!

SecureID

[KingAzzy]

As long as you are using the same password each and every time, there really is no guarantee that something somewhere between your fingers and the server you're talking to will not intercept and record your password.

The answer to this for security conscious organizations is SecureID. See http://www.rsasecurity.com/ [slashdot.org] for more info.

I think this question is actually serious..

[ryanr]

That, or it's not very funny.

Anyway, the answer is no. If they can tamper with your hardware, you're throughly screwed.

Several suggestions

[Wesley Felter]

Time Password system. You can either generate a list of passwords and carry them around in your pocket or run a password-generating utility on a PDA. If someone snags one of those "disposable" passwords, it will do them no good.

2. Don't use passwords; switch to public keys and store your private keys on a smart card or iButton (which someone else already mentioned).

darn browser

[Wesley Felter]

My browser munged the first part of my post. It should have said:

1. Use a One Time Password system.

Re:Why bother?

[plover]

Unfortunately, one of the keyloggers out there is a device that is placed INSIDE the keyboard case, between the circuit board and the cable. Physically, it's a small printed circuit with a couple of chips, an n-pronged jack for the cable end and an n-holed jack for the board end. An internal inspection of the hardware will discover it, of course, if you know what you're looking for. If you don't, it's just more "magic chips."

This is much harder to find than the KeyKatcher, which is an 8KB keyboard dongle about the size of two PS2 keyboard plugs back-to-back (longer and narrower than a quarter.) It has a KK logo on it which looks kind of like a fast forward or rewind icon. It's installed by plugging the keyboard into it, and plugging the other end of it into your PC. It's technically about within the installation limits of your typical boss.

I think all of the current technology keyboard memory dongles are physically very small and have quite stringent memory limits... 8KB and 32KB come to mind. If you have enabled your keyboard's typematic repeat (usually a BIOS setting, set the repeat rate to as fast as it'll go) you could probably blow a 32KB buffer by setting a book on your spacebar for an hour before typing your password. Of course, IANAS (I Am Not A Spook) so I don't know if they've got 512KB buffers or radio transceivers installed in your keyboard. So, if you get busted, I'm hereby officially disclaiming any liability.

John

No.

[satch89450]

For any keyboard system to be encrypted, you would need both hardware and either firmware or software support for it. Given the power of the CPUs put into keyboards, I don't think you would find strong enough encryption to be useful. After all, with a keyboard it's dead simple for a perp to run a known-plaintext attack on the keyboard.

Consider a laptop that you keep in your possession at all times, or lock in a safe when not in use.

Physical security is all-important with keyboards.

(And I hope this wasn't the last of the April Fool's Jokes -- they got old real fast this year.)