Become a fan of Slashdot on Facebook


Forgot your password?

Best Way To Avoid Keyloggers On Public Terminals? 701

goombah99 writes "While on vacation, I occasionally need to check my e-mail on a public terminal. What are some good techniques for avoiding keyloggers? Most of my ideas seem to have major drawbacks. Linux LiveCD can probably avoid software keyloggers, but it requires an invasive takeover of the public terminal, and is generally not possible. offers a free reverse proxy that will decode your password from a one-time pad you carry around, then enter it remotely. But, of course, you are giving them your passwords when you do this. You can run Firefox off a USB stick with various plugins (e.g. RoboForm) that will automatically fill the page in some manner they claim to be invulnerable to keyloggers. If that's true, (and I can't evaluate its security) it's getting close to a solution. Unfortunately, keeping the password file up-to-date is a mild nuisance. Moreover, since it will need to be a Windows executable, it's not possible for people without a Windows machine available to fill in their passwords ahead of time. For my business, I have SecureID, which makes one-time passwords. It's a good solution for businesses, but not for personal accounts on things like Gmail, etc. So, what solutions do you use, or how do you mitigate the defects of the above processes? In particular, how do people with Mac or Linux home computers deal with this?"
This discussion has been archived. No new comments can be posted.

Best Way To Avoid Keyloggers On Public Terminals?

Comments Filter:
  • I don't type (Score:5, Interesting)

    by dmomo ( 256005 ) on Wednesday April 23, 2008 @10:12PM (#23178298)
    I click around on icons until I can copy and paste a lot of letters into a single file. Then, with my Alpha-pallette, I cut and paste each letter as needed.
    • by Anonymous Coward on Wednesday April 23, 2008 @10:27PM (#23178440)
      I store my password at so I can just copy/paste when I'm remote.
    • Of course, there's still the difficulty that the browser itself is compromised, or that the network connection is being sniffed.

      I think the solution is best, albeit cumbersome, and if you want true security, you'll need to implement the service yourself.
    • Re: (Score:3, Insightful)

      by g0at ( 135364 )
      Why not simply type the alphabet into the file, and save yourself ten minutes at the outset?

    • Re:I don't type (Score:5, Interesting)

      by JustinOpinion ( 1246824 ) on Wednesday April 23, 2008 @11:05PM (#23178742)
      Apparently* many modern keyloggers also capture the clip-board and record mouse movements (so as to defeat those "visual keypads" that some banking sites have implemented to thwart keyloggers). I guess the additional steps of assembling your password from pieces will prevent some attacks (e.g. where the attacker just uses the logged keystrokes, in order, for a dictionary attack on your account)... but a determined attacker may still be able to reconstruct your password from the combined key/mouse/clipboard history.

      Every bit of security helps, but I don't think we should be under the illusion that keylog-writers haven't caught on to these kind of tactics.

      *This is based upon a talk I was recently at where a Symantec security analyst was asked about keyloggers.
    • Re: (Score:3, Interesting)

      by Neodudeman ( 1259256 )
      The problem with this is that any capable keylogger catches it. In fact, all the good keyloggers catch all Copy/Paste commands, and even the input from Windows+U 'Virtual Keyboard.' A good solution would be to type your password backwards. After ever letter, use the mouse, not the keyboard, to select before the asterisk you just made, and type the next (previous) letter.
      • Re: (Score:3, Insightful)

        by porl ( 932021 )
        it is odd that this question came up today, as (for some unknown reason, just my mind wondering i thing) i was thinking of how to do this just last night. my thought was almost the same as yours, but i was thinking more randomly building the password with clicks and keys, eg if the password is 'dogfood' then maybe type 'g', then click to the left, type 'd', click to the right and another 'd', then click between first d and g and type 'o' etc. would be a real pain, but more of a pain to decipher, especially
      • Re: (Score:3, Insightful)

        by mcpkaaos ( 449561 )
        That still gives the person logging keystrokes a valid password, even if it's scrambled (unless I misunderstand your approach). It would be trivial for them to try all possible combinations when they realize what you entered doesn't work as-is. An automated attack program probably already does this unless it's trying to keep a very low profile.

        all the good keyloggers

        This type of attack might also include a packet sniffer on the machine, rendering any clever input techniques useless. The only real way to avoid loggers/sniffers

  • Simple Answer -- (Score:5, Insightful)

    by barbam ( 1134455 ) on Wednesday April 23, 2008 @10:12PM (#23178306)
    Umm -- simple answer, don't access trusted information from an untrusted terminal? You can have no expectation of privacy while using that machine.
  • Copy and paste your password from random letters around the page. Unless they log everything that goes into the clipboard they can't tell what you put in. You can also copy/paste extra letters and paste over them for added security if you're really paranoid (or they log the clipboard).
  • Simple idea (Score:4, Interesting)

    by Mieckowski ( 741243 ) <> on Wednesday April 23, 2008 @10:16PM (#23178344)
    You could type the letters out-of-order, then rearrange them using drag+drop. Someone with a keylogger probably wouldn't bother using the mouse input to figure it out.
  • by syousef ( 465911 ) on Wednesday April 23, 2008 @10:16PM (#23178346) Journal
    I'm not trolling here. If you're being keylogged, then even if your password isn't stolen, every single thing you do on that computer must be treated as public. Emails would be keylogged too.

    Once you suspect a terminal is owned, that's it, game over, don't trust it. Probably not what you want to hear, and definitely not convenient for you, but every other solution is a compromise in security.

    The ONLY alternative I could think of that I can stomach is to have a separate email address that you use only from public terminals. Change the password often and consider anything you say via that account to be as public as if it were announced over a PA system at an airport.
  • by JazzXP ( 770338 ) on Wednesday April 23, 2008 @10:17PM (#23178356) Homepage
    Any smart keylogger will look at the raw text behind any password field on a website. Cut and Paste etc would be useless.
  • by sznupi ( 719324 ) on Wednesday April 23, 2008 @10:18PM (#23178366) Homepage
    Enter your password in a different order than it is spelled? Simplest example: given your pass is "password", first write "pasrd", click between 3rd and 4th asterisk, complete it by entering "swo". The more complicated, the better.

    I'm using this when I absolutelly need to use web cafe/etc....should fool most keyloggers, I guess. I still change my password afterwards as soon as possible.
    • Re: (Score:3, Interesting)

      by mysidia ( 191772 )

      This does not necessarily work. Complacency that once upon a time it fooled keyloggers does not make it a sound tactic for evading them.

      The strategy is well-known, and you can expect an advanced keylogger to detect it.

      The keylogger can pick up on the keystroke and identify the active window handle. The text boxes that have password masking turned on stick out like a sore thumb.

      Identifying the cursor position is not hard.

      The mouse coordinates you click on will be within the text box and wi

  • use a temp account (Score:2, Insightful)

    by Anonymous Coward
    I used a temporary account for email while on vacation. Stolen? No big deal. Throw away when done.
  • S/KEY (Score:5, Interesting)

    by Ernesto Alvarez ( 750678 ) on Wednesday April 23, 2008 @10:20PM (#23178380) Homepage Journal
    To get root access on my server, I use a one time password system(rfc 2289). I use a S/KEY calculator on a palm pilot, and PAM Opie on the server. The public terminal never sees a long term password, it never leaves the PDA.

    Not much else to be said. Maybe you could also use a crypto token and asymetric crypto, but considering that you need drivers, I'd say it's not practical. You might still use some sort of somewhat disposable private/public key. That should defeat keyloggers, but you risk getting your key compromised (that's why it's disposable).
    • Re: (Score:3, Interesting)

      by goombah99 ( 560566 )
      Could you expand on this. How does one go about setting this up on say a mac?

      What I'd really like to skip the PDA. Instead just take a page of say 100 one-time passwords. But how might one set this up? I'm handy with perl but I'd prefer a robust worked out solution.
      • Re:S/KEY (Score:5, Informative)

        by Ernesto Alvarez ( 750678 ) on Wednesday April 23, 2008 @11:47PM (#23178974) Homepage Journal
        You won't get a more robust worked out solution than a IETF standard......

        I don't have a mac, and I'm not experienced enough with *BSD to know exactly what to tell you, my explanation on Debian GNU/Linux will have to do.

        First, let me tell you that this is not my first line of defense, I also use ssh pubkeys and I definitely do not log on public terminals. OPIE is just there in case someone pwns one supposedly trusted terminal.

        What I do is I creatively use PAM. I installed PAM-OPIE []on my system. It comes with a few userland apps (a password changing program and a one time password calculator) and an authentication module.

        The next thing to do is to modify the pam configuration so it calls as an authentication. I set it up so that inputting the correct one time password grants access, while leaving the regular password system as a fallback only when used on the local terminal.

        # Sets up user limits, please uncomment and read /etc/security/limits.conf
        # to enable this functionality.
        # (Replaces the use of /etc/limits in old login)
        # session required

        #Sistema hibrido opie-password

        auth sufficient
        auth required
        auth required

        The text above is part of my pam configuration for su. Basically, I tell pam that answering correctly to pam_opie grants access, no matter what. If I fail S/KEY (opie), the system checks whether I'm on the terminal or remotely. If I'm not on the terminal, no matter what password I use, it'll never grant access.

        On the userland, OPIE has a program, called opiekey, that calculates the next set of one time passwords you will need. That's what you should use to generate your set of 100 passwords. I don't use it since I have a calculator with me (the PDA). In order to set your long time password, you use another program, called opiepasswd, pretty much like the normal passwd program.

        I don't know what you're planning to use to access your system (I hope ssh or something secure), but you should change pam's configuration for that program so it does something like the example above.

        Let's say you use SSH. You change /etc/pam.d/sshd (or your OSX equivalent) to something like the example above. Then you set sshd to ALLOW keyboard-interactive logon [] and nothing else (or better, keyboard-interactive AND pubkey at the same time). When you connect the ssh client should open a secure connection and the server should issue the challenge, and you send the correct response.

        No need to use perl or anything, PAM is part of the basic authentication system (I think it is on BSDs except OpenBSD). You might need to download a copy of pam_opie, though (thanks to APT, that's trivial in debian, check with your package manager).

        That's pretty much it. I've put pointers to the freebsd docs, and it can't be that different from linux. I guess it should be pretty similar in mac too (would have pointed you to the mac docs, but I don't know where to find them).

        If you have any doubts, don't hesitate to ask.

        BTW, while on vacation the only thing I concentrate on is getting a nice sun tan. The other posters are right telling you not to log on a public terminal and not logging in while on vacation. That's my advice.
    • Re: (Score:3, Informative)

      by LazyBoy ( 128384 )
      Java Cell Phone impl. []
      Python impl. []
  • You are on vacation? Don't read your email. Second, buy a wi-fi device or smartphone. Third, I have been away from slashdot for a long time so, um, what the hell is this thing I am typing into?
  • by bluemonq ( 812827 ) on Wednesday April 23, 2008 @10:22PM (#23178400)
    Just always run Firefox off of the stick (even while you're at home). Otherwise, the only thing I can suggest to you is to pull up the virtual keyboard and input using the mouse; you'd have to move the window around after every few characters to try to fend off programs that track mouse movements also. If the machines Tempest-ed (or its local equivalent) or the screen is being recorded, you're out of luck anyways. If it's not your machine, you really can't do anything about this sort of thing.
  • Several options (Score:3, Informative)

    by gweihir ( 88907 ) on Wednesday April 23, 2008 @10:23PM (#23178402)
    One-time passwords are the best, since they require a man-in-the-middle ralt-time attack to be broken. This is very unlikely on a public terminal. As to implementation, carrying around a printout is propbably enough for the avaliable remote-login solutions for Unix.

    For Web-Stuff, and other servers you do not control, you are screwed, unless you can reboot the machine with your own system. There is basically no way around a keylogger without that. If the attacker invests a bit more, thay can also directly listen to the keyboard via hardware-device.

    The best option is still to have your own reasonably secure device (PDA, Laptop or the like) and use wireless Internet. With the eee PC this just got a lot more affordable.
  • How about this... (Score:4, Interesting)

    by stwf ( 108002 ) on Wednesday April 23, 2008 @10:26PM (#23178430)
    So, thinking about this a bit...the point is you need a password that can't be used later. The digital services are fine, but do we really need more than a 1-5 minute resolution here?

    So a clever IT department could make passwords dependant on the time and date. Print out a code sheet, different for each employee, with words substituted for the date and time, a short word for the date and a short word for the ten minute time period you're in, something like that.

    This way the password would be useless to a logger, you'd need a code sheet to log in, but it doesn't seem like it would be THAT much trouble (if your info is so important you're this paranoid...)...

    I call the patent!
    • Re:How about this... (Score:4, Informative)

      by timeOday ( 582209 ) on Wednesday April 23, 2008 @10:44PM (#23178566)
      What you just described is almost exactly what a password generator is (CryptoCard, SecureID). If you don't use them for long enough the clocks can drift apart and it won't work anymore. They have two advantages over your password table however: they require a PIN, and each generated password can only be used once.
    • Auto Password Send? (Score:5, Interesting)

      by cgenman ( 325138 ) on Wednesday April 23, 2008 @10:55PM (#23178660) Homepage
      This would require server-side scripting, but what if each account kept a phone number on file? If the person uses the correct password, keep them out but text message them a single-use password. They can now log-in with the single-use password.

      Now the system requires something you know (your password) and something you have (your phone).
  • by ISurfTooMuch ( 1010305 ) on Wednesday April 23, 2008 @10:29PM (#23178446)
    ...then don't use a public terminal.

    I'm really not being flippant here. The posters above have listed some ways around a basic keylogger, but there are other ways a system can be compromised. You could be dealing with a program that takes screenshots and/or reads the clipboard at random intervals. Hell, there could be a program on there that silently redirects you to bogus lookalike sites that steal your info. Not that this is likely, but it's possible.

    My policy on using public access computers is that I only use them when I have no other choice, and the more valuable the data I need to protect, the less likely I am to use one.

    There are so many more attack vectors than a keylogger that, if I were you, I wouldn't just focus on that one thing. If your data really needs to be secure and accessed remotely, get yourself a laptop and a data card from one of the cell carriers. At least that way, you can keep physical control over your machine and avoid the risks of using a hotspot. Of course, if you think that someone will be able to tap into your wireless connection through a cell phone carrier, than you likely have more issues than we can address here.
    • by jamesh ( 87723 ) on Wednesday April 23, 2008 @11:17PM (#23178816)

      Hell, there could be a program on there that silently redirects you to bogus lookalike sites that steal your info. Not that this is likely, but it's possible.

      That would be dead easy to do on the part of the public terminal provider... Figure out the top (say) 10 banks that visitors normally use. Set up local DNS records that point to your phishing site, or just use IP DNAT to redirect them. Install certificates for each of your phishing sites on the public terminal so that they are trusted.

      Unless you knew the fingerprint for your banks certificate you'd never know the difference, and even that could be spoofed if they had complete control. If they were using IP DNAT then even the IP address would appear correct.

      In short, there is no solution if you don't have complete control over your terminal!

      In the above example, if the phishing site was acting as a 'man in the middle' then even 2 factor authentication on logon wouldn't help you. Once you'd logged on the phishing site could just report 'Connection error - please try again later' and then go off and do stuff on its own. If you had it set up so that any funds transfers required another authentication with your 2nd factor device then that simple hack wouldn't work but it wouldn't be too hard to come up with something that did.
  • Create an account specifically for when you are at a public terminal, that has the following behavior: Whenever you log into the account, the password is automatically changed to a random temporary password right afterward. Then, at your convenience (when you are at a secure terminal) you log in as admin and reset it to something new. This is just off the top of my head so maybe there is some flaw, though.

  • by Joe The Dragon ( 967727 ) on Wednesday April 23, 2008 @10:35PM (#23178494)
    A LiveCD will not save you from a hardware based key logger
  • KeyScrambler (Score:4, Interesting)

    by techMech ( 1278336 ) on Wednesday April 23, 2008 @10:36PM (#23178496)
    You could try running Portable Firefox with KeyScrambler from a thumb drive. []
  • by Whuffo ( 1043790 ) on Wednesday April 23, 2008 @10:40PM (#23178530) Homepage Journal
    When you're talking about a public terminal - a machine that everyone and his dog has had access to - then you have to assume that it's totally compromised. You can't take countermeasures against exploits that you don't know and can't identify.

    If you've got to stay in touch on the road then take your own machine along - either a laptop or a portable device like an iPhone. You can find wireless access almost anywhere and while that wireless may be hacked, at least the machine you're using won't be.

    The suggestions to use a Linux CD or Firefox from a USB memory stick aren't going to give you the safety you're looking for. Even if you boot from a CD, the system will still read the MBR from every drive connected to the system when it boots. If that MBR is "adjusted" then that machine is compromised no matter what you do.

    Remember: do NOT enter any information into a public terminal that you wouldn't want to publish in the newspaper.

  • by MrSteveSD ( 801820 ) on Wednesday April 23, 2008 @10:41PM (#23178538)
    I once had to remote support a customer in another country and they sent us a little card-sized gadget that displayed a random code that changed every few minutes. It was synchronised (by the clock being pretty accurate I suppose, or possibly by radio signal) to an identical random code list at their site. So whenever we wanted to log in we just looked at the current code on the card, typed it in and at their end the code was checked against the current code.

    This sort of set-up could be very useful for people who frequently use public terminals. Your code can still be compromised but the crooks would only have a few minutes to retrieve and use it. Maybe you could even have it so that when you use a code once, the central code verification server invalidates it, so no-one else can log in, even if they do get the code quickly.

    I don't believe anything like this exists for the average person wanting to use normal email accounts though. Anyway, none of this changes the possibility that there are screenshots being taken every few seconds so that all of your private emails will be viewed later anyway.
  • by Knightman ( 142928 ) on Wednesday April 23, 2008 @10:48PM (#23178604)
    I built a system in the late 90's where you had a web-page where you entered an account-name. That name was tied to a cellphone number which was sent a generated password as a text-message. The password was only valid for 5 minutes.

    AFAIK it's still in use and have never been cracked.
    • Re: (Score:3, Funny)

      by Adambomb ( 118938 )
      Now that is an awesome idea. You could even have it set up such that you could sms back to a system tied cell line if you suddenly received your own password without requesting. the sms could trigger a change in the configs so that it uses a next-domain-in-the-rotation or failing that, change the current url for the frontend. If the users of the system knew the list of possible domains/urls that'd make it even tighter heh.

      damnit, why didn't i think of that one you bastard =)
  • by riprjak ( 158717 ) on Wednesday April 23, 2008 @10:50PM (#23178620)
    ...I carry my own means to do so. Wether that be a smartphone, iPod touch, PSP, laptop with wifi, wireless broadband or (a consideration when I am travelling in developing nations) a satellite modem...

    IMO, the use of a public terminal for private purposes is the height of stupidity.
  • by Ralph Spoilsport ( 673134 ) * on Wednesday April 23, 2008 @11:00PM (#23178698) Journal
    "In particular, how do people with Mac or Linux home computers deal with this?"

    I bring it with me - I have a macbookPro and I don't use public terminals. You can get cooties that way.


  • by Shazow ( 263582 ) <> on Wednesday April 23, 2008 @11:41PM (#23178938) Homepage
    Setup VNC or something similar on your home desktop. Create a list of passwords you'll use for the duration of your trip.

    Every time you stop by at a cybercafe, connect to your VNC, do your business with all your passwords pre-saved safely on your home desktop. Once done, execute a script which will change the password to the next password on the list, log out, and move on.

    I haven't done this myself, but last time I went to Italy and had to use some really shady cybercafes, I really wished I had a system like this in place...

    - shazow
  • by AsmordeanX ( 615669 ) on Thursday April 24, 2008 @01:08AM (#23179402)
    It blows my mind when I see someone logged into their bank/email/etc from a public terminal.

    I was once friends with a guy that carried around a PS/2 keylogger that he would plug into university terminals for a day or two then pick it up later. He just wanted to see what he could find. He found everything from people doing homework, cybersex, and even bank info. Now if he was actually out to do harm, he could have really made things bad for hundreds of people.

    If it's not yours then just assume that it has a loudspeaker on it broadcasting everything you do to everyone around you.

    And for those that think cut&paste, screen keyboards, etc will protect them. I personally installed a keylogger on a friend's PC to catch her then, 12 year old son, looking at porn. The log files had a play button which would replay every mouse movement, screen change, and keyboard input for up to 96 hours. This was about 7 years ago so I'm sure they've gotten better.
  • by kiwioddBall ( 646813 ) on Thursday April 24, 2008 @03:17AM (#23179912) Homepage
    A standard part of Windows. I don't know about other OS'es.
    On Windows 2000 (prob same on XP etc) Start / Programs / Accessories / Accessibility / On Screen Keyboard.
    Click in your Password field. Enter your password using the mouse on the on screen keyboard. Good enough.
  • by caluml ( 551744 ) <> on Thursday April 24, 2008 @04:39AM (#23180214) Homepage
    Write a script, that, when run, will set your user password to the top one of a list, and delete that one from the top.
    Keep a copy of the list with you, SSH in (or whatever), and run the script immediately.
    Assuming no-one tries to log in from the time you enter your password in the Internet cafe to when you run the script, and change it, it's a perfectly safe method.
  • by hAckz0r ( 989977 ) on Thursday April 24, 2008 @06:24AM (#23180508)
    It seems to me that a Blackdog [] might help get around at least some of this problem given the right setup. Think about this scenario; You walk up to the public terminal and plug in the Blackdog into the USB port and it boots up a X-Terminal session on the host, and from there you use ssh and port forwarding to proxy your web traffic to a trusted host at home/work through its ssh VPN. The authentication is done via a secret key stored on the Blackdog and unlocked via something like s/key or a keyring stored on the blackdog, and subsequent passwords could be either injected into the session by the Blackdog processor environment, or stored in a Firefox browser running from the dongle itself. Keystrokes might be visible but if the Blackdog can supply the authentication where needed then the crooks can't reconstruct enough of the session to do or learn anything. Sure they might log a bunch of mouse movements and a few key strokes but they would not even know what application those keystrokes were going to much less what sites you visited.
  • by demallien2 ( 991621 ) on Thursday April 24, 2008 @07:01AM (#23180646)
    On a public system, you cannot know that the Firefox you are running does not have some unique modification. Such an approach is way easier than trying to use a keylogger. These days I am very suspicious of public systems that ONLY provide Firefox/other open source browsers. It's probably one of the rare situations where I prefer to use IE. That said, if you use anything other than a throwaway password from a public terminal, you are extremely foolish.
  • by 404 Clue Not Found ( 763556 ) * on Thursday April 24, 2008 @07:48AM (#23180814)
    You shouldn't trust public terminals, period. All input (including mouse movements you may be using in place of the keyboard) can be recorded, as can network transmissions.

    That said, however, sometimes you just don't have a choice. In that case, the one-time password thing is a good idea, but why it to a third party? I'd make my own:

    Have a script check your mailbox(es) every few minutes, then publish all new mail to a webpage -- this is so that if the page is breached, the attacker only gets access to the text of your received email and cannot reply or otherwise hijack your actual account. Protect that page with constantly-changing, disposable passwords. You can either have a list of random ones that expire after every use (and carry the list around with you) or use a pattern of some sort that's hard to guess.

    Maybe something time-based, but obfuscated, like "asdf_pwo41" based on April 24th, 4AM -- asdf_ is just gibberish of your choice, p> is the 2nd letter of "April", wo are the 2nd letters of "twenty four", 4 is the hour and 1 is for AM. The password would change every hour; thus, at noon tomorrow, it would be "asdf_pwi122". The passwords would look like gibberish to the casual observer, and even people who manage to collect several of them would have to work a bit to figure out the pattern. You'd get disposable passwords this way without having to rely on any third party (beyond a host for your script, perhaps) and without having to carry a list around. And if it gets stolen, they'd only be able to view your mail within the hour.

    If you're worried about snooping (as you should be), you could also:
    -Use SSL. This should be a given.
    -Have a "Log out"/"I'm done" function that immediately expires the current password once you're through with a session.
    -Have the script filter out personally-identifiable information before publishing the page. You can look for common patterns like phone numbers, email addresses, internal URLs, etc.
    -Publish emails not as plaintext but as images -- maybe use animated .GIFs that show gibberish for the first 5 seconds and then show your email (to protect against spying programs that take a screenshot after the page finishes loading).
    -Use CAPTCHAs -- perhaps before going from a message's subject to its full text; or perhaps you could render the entire email as a CAPTCHA if you're a masochist.
    -Have the script only display subject lines and have checkboxes that make it send selected full texts to your cell phone via SMS.

    Just throwin' around some ideas.
  • by multimediavt ( 965608 ) on Thursday April 24, 2008 @09:49AM (#23181952)

    I'm sure someone must have said this already, but if you are that worried about keyloggers and such on public terminals, DON'T USE THEM!

    I'd strongly recommend that you buy a laptop to take with you on vacation so you can check email, etc. from the road. If you're that paranoid about it then the simplest solution is to not use public terminals at all for tasks that require you to enter private data and make the investment in a cheap laptop.

Someday somebody has got to decide whether the typewriter is the machine, or the person who operates it.