a dumb question: on-screen keyboard...

would using an onscreen keyboard to type in passwords when on a wifi
hotspot avoid capture by keylogging programs? reason i ask, i was just
reading a Norton email about password security and they mentioned that
one shouldn't log in to a bank site when on those hotspots due to
possible key loggers.

Dave

oh, and my ING account sign in page has an onscreen keypad for entering
log in info, ostensibly to avoid keyloggers, I believe...

Dave

Keyloggers run on individual machines, not on entire hotspots. The session
between a workstation and the bank's web server is protected with SSL. So if
someone were sniffing traffic from the hotspot, your password would be
protected. However, if you were using some kiosk computer (rather than your
own), then it is possible that keylogging software on that machine could
intercept your password before it gets passed to the SSL encryption. I never
worry about hotspots, because I always use only my own laptop. I do, though,
worry a bit about kiosks.

Onscreen keyboards really don't help here. Sure, they can thwart keyloggers,
but what about screen recorders? What about rootkits or trojans (again,
installed on a kiosk) that can hijack a session after login happens? Public
machines simply present too many risks.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"David" <david@invalid.com> wrote in message
news:57WdnX9LFOxh3HTbnZ2dnUVZ_hKdnZ2d@comcast.com. ..

Quote:

> would using an onscreen keyboard to type in passwords when on a wifi
> hotspot avoid capture by keylogging programs? reason i ask, i was just
> reading a Norton email about password security and they mentioned that one
> shouldn't log in to a bank site when on those hotspots due to possible key
> loggers.
>
> Dave

Steve Riley [MSFT] wrote:

Quote:

> Keyloggers run on individual machines, not on entire hotspots. The
> session between a workstation and the bank's web server is protected
> with SSL. So if someone were sniffing traffic from the hotspot, your
> password would be protected. However, if you were using some kiosk
> computer (rather than your own), then it is possible that keylogging
> software on that machine could intercept your password before it gets
> passed to the SSL encryption. I never worry about hotspots, because I
> always use only my own laptop. I do, though, worry a bit about kiosks.
>
> Onscreen keyboards really don't help here. Sure, they can thwart
> keyloggers, but what about screen recorders? What about rootkits or
> trojans (again, installed on a kiosk) that can hijack a session after
> login happens? Public machines simply present too many risks.
>

thanks for the info, Steve! very helpful!

Dave