current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Information Security Stack Exchange is a question and answer site for information security professionals. It's 100% free, no registration required.

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 12 down vote favorite
4

I'm trying to improve security in a web application. The application has an admin site and keyloggers are a concern that I'm trying to solve. Can the application do something that can prevent keyloggers from working correctly? I've read about Keystroke interference software (for each user keystroke they randomly add more keystrokes not interfering with user input), can something like that be done in javascript?

share|improve this question
    
What do you want to protect against keylogging? – Noir 20 hours ago
    
I have a web site that administrates the server and all users and devices that are connected. I want to protect the login page. – Schockey 20 hours ago
    
You can't do anything about this except by introducing some kind of OTP. The answer of @Stephane contains everything you need to know. – Noir 20 hours ago
    
KeePass and similar password managers often have an option to perform exactly what you are mentioning. Beside: if you are using password managers you could simply change your password every day. – Bakuriu 18 hours ago
1  
two-factor authentication (2FA) might be the solution which can solve your issue. The people which use your websites service sound like they should be aware of the benefits of 2FA and shouldn't retaliate. – MonkeyZeus 17 hours ago
up vote 35 down vote accepted

Many applications make futile attempt to foil keyloggers and spyware by using convoluted (and cumbersome) password entry methods. None work against keyloggers and many actually cause users to be LESS secure because they make it hard to use password managers.

The best way to handle that kind of things is to use one-time passwords. There are several ways to go about it so let me suggest two: TOTP (RFC 6238) works with many software authenticators (Google authenticator, for instance) so it's both convenient, cheap to implement and free to use. It does require the user to set things up and have a smartphone, though.

Another approach it to send a one time password through SMS. This is a bit more expensive (because you have to send the message) but it's also easier for the user (who only needs a mobile phone and no setup).

share|improve this answer
    
It's also worth noting that the two methods above aren't mutually exclusive. Some sites allow a user to obtain a code by either method. – Lily Finley 12 hours ago
1  
Also, note that some users have phone numbers that allow access without the phone; for instance, everyone with a Google Voice number can access their SMS messages through Google Hangouts. This means that for them, SMS isn't really a second factor at all - it's just another account an attacker could gain access to remotely. – Xiong Chiamiov 11 hours ago
    
I have authentication on my PC with Authy and 1Password. It might be better to say that it requires the user to download yet another application, as some people get quickly annoyed by that. – Spotlight 9 hours ago
    
"None work against keyloggers" remark is incorrect. "None work against (key+mouse+screen)-loggers" would be correct. This might make some difference because screen-loggers have to handle more data. – Eugene Ryabtsev 3 hours ago
up vote 7 down vote

If you were dealing with keyloggers in isolation, then it might be possible to mitigate the risk (e.g. using on-screen keyboards, 2FA or similar), however if an attacker has the ability to install a keystroke logger on the system it is very likely (apart from physical keystroke loggers) that they have privileged access to the system in question and as such would be likely able to circumvent any other protections you put in place (assuming that they're motivated to do so)

For example, as this is a web application, say you implement 2FA, once the user has authenticated, a session token is issed and then in general remains valid until an idle timeout occurs or the user explicitly logs out. If an attacker has privileged access to the system it would be possible for them to issue "keep-alive" requests to prevent idle lockout and use browser injection to defeat the logout.

If you're concerned about users accessing a privileged system from compromised clients, the a better solution is to make use of dedicated/locked down devices and restrict access to only those devices.

share|improve this answer
    
+1 for the good point that for situations that really require strong security for a resource using dedicated/hardened clients to access that resource is often necessary. However,I think it's necessary to remember that even if 2FA isn't the magic auth bullet that some think it is when implemented well it (at least) makes the bad guy's job considerably harder & more complicated vs. static auth only. – halfinformed 4 hours ago
up vote 5 down vote

JavaScript cannot control low system calls and change them to get that keystroke interference. Even user-mode software protections are defeated by kernel-mode keylogging.

You can protect against hardware keyloggers by having an onscreen keyboard, which can be easily implemented.

Software keyloggers are more powerful. Smart banking trojans also capture HTTP requests and screenshots when the mouse is clicked in the banking website. Some also steal one-time-passwords or bypass them.

share|improve this answer
5  
Onscreen keyboards are inefficient to protect users against spyware and very easy to work against. It's snake oil security. – Stephane 18 hours ago
4  
@Stephane My unscientific research has shown that implementing an onscreen keyboard to be 100x more secure for sites primarily accessed via desktop browsers because your userbase will shrink to a hundredth of its previous size due to rage quitting. – Dan Neely 11 hours ago
    
The exact way onscreen keyboards are defeated are described e.g. here. This requires a more sophisticated (and software) loggers, but by now these might have gotten some traction. – Eugene Ryabtsev 3 hours ago
up vote 0 down vote

If you are concerned about keyloggers that log key strokes (manual password entry) or copy/paste (password manager) then you have to use the mouse:

  1. Show the user a virtual keyboard to enter the password. This is really not very user-friendly and hard to set up for global usage (regional differences in the keyboard layout). I would still let the "not-so-paranoid" users enter their password how they are used to.

or another (peripheral) device:

  1. Two-factor authentication through an app or SMS.
share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.